88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

328KB
MD5

0518135d19cbb497321df931809a30e8
SHA1

34981352c51a3e3b9031902cc3f733d252c12871
SHA256

88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5
SHA512

adfe6c11cf1af4a5b7af799c2e0d89a660f695149407b54449a3ff4b8186dd3fca3f508670aede4b0592942294ca96d156f2f681a2aaf11481c0711670a17fa2
SSDEEP

6144:P5QCJJfSBEmcHe6VlWT8b9uPUfMP0ftbi8J5HW5T:BQNEvHPVle8eaB/HW

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Azure DevOps.exe"	Client.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 32 IoCs

pid	Process
4008	Process not Found
4744	Process not Found
760	Process not Found
4824	Process not Found
3580	Process not Found
3980	Process not Found
2056	Process not Found
780	Process not Found
4992	Process not Found
3076	Process not Found
4980	Process not Found
4804	Process not Found
4328	Process not Found
1428	Process not Found
4636	Process not Found
2196	Process not Found
2680	Process not Found
4808	Process not Found
4724	Process not Found
1616	Process not Found
788	Process not Found
4916	Process not Found
1872	Process not Found
720	Process not Found
2544	Process not Found
4680	Process not Found
4380	Process not Found
460	Process not Found
2340	Process not Found
1212	Process not Found
2024	Process not Found
4328	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\xdwdGreenshot.exe"	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Creates scheduled task(s) 1 TTPs 34 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
564	schtasks.exe
3692	schtasks.exe
3348	schtasks.exe
4464	schtasks.exe
2376	schtasks.exe
4824	schtasks.exe
3456	schtasks.exe
4004	schtasks.exe
3588	schtasks.exe
4692	schtasks.exe
8	schtasks.exe
1668	schtasks.exe
4260	schtasks.exe
4544	schtasks.exe
2448	schtasks.exe
3536	schtasks.exe
1172	schtasks.exe
2916	schtasks.exe
3908	schtasks.exe
1584	schtasks.exe
4880	schtasks.exe
1108	schtasks.exe
860	schtasks.exe
4664	schtasks.exe
1520	schtasks.exe
4280	schtasks.exe
3720	schtasks.exe
2124	schtasks.exe
4596	schtasks.exe
1580	schtasks.exe
1276	schtasks.exe
4792	schtasks.exe
2416	schtasks.exe
1924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2348	2644	Client.exe	78
PID 2644 wrote to memory of 2348	2644	Client.exe	78
PID 2348 wrote to memory of 4280	2348	CMD.exe	80
PID 2348 wrote to memory of 4280	2348	CMD.exe	80
PID 2644 wrote to memory of 3416	2644	Client.exe	81
PID 2644 wrote to memory of 3416	2644	Client.exe	81
PID 3416 wrote to memory of 3720	3416	CMD.exe	83
PID 3416 wrote to memory of 3720	3416	CMD.exe	83
PID 2644 wrote to memory of 4572	2644	Client.exe	84
PID 2644 wrote to memory of 4572	2644	Client.exe	84
PID 4572 wrote to memory of 4792	4572	CMD.exe	86
PID 4572 wrote to memory of 4792	4572	CMD.exe	86
PID 2644 wrote to memory of 4076	2644	Client.exe	87
PID 2644 wrote to memory of 4076	2644	Client.exe	87
PID 4076 wrote to memory of 3692	4076	CMD.exe	89
PID 4076 wrote to memory of 3692	4076	CMD.exe	89
PID 2644 wrote to memory of 4060	2644	Client.exe	90
PID 2644 wrote to memory of 4060	2644	Client.exe	90
PID 4060 wrote to memory of 4260	4060	CMD.exe	92
PID 4060 wrote to memory of 4260	4060	CMD.exe	92
PID 2644 wrote to memory of 2036	2644	Client.exe	93
PID 2644 wrote to memory of 2036	2644	Client.exe	93
PID 2036 wrote to memory of 1172	2036	CMD.exe	95
PID 2036 wrote to memory of 1172	2036	CMD.exe	95
PID 2644 wrote to memory of 2268	2644	Client.exe	96
PID 2644 wrote to memory of 2268	2644	Client.exe	96
PID 2268 wrote to memory of 2416	2268	CMD.exe	98
PID 2268 wrote to memory of 2416	2268	CMD.exe	98
PID 2644 wrote to memory of 1416	2644	Client.exe	99
PID 2644 wrote to memory of 1416	2644	Client.exe	99
PID 1416 wrote to memory of 1580	1416	CMD.exe	101
PID 1416 wrote to memory of 1580	1416	CMD.exe	101
PID 2644 wrote to memory of 3676	2644	Client.exe	102
PID 2644 wrote to memory of 3676	2644	Client.exe	102
PID 3676 wrote to memory of 2916	3676	CMD.exe	104
PID 3676 wrote to memory of 2916	3676	CMD.exe	104
PID 2644 wrote to memory of 3436	2644	Client.exe	105
PID 2644 wrote to memory of 3436	2644	Client.exe	105
PID 3436 wrote to memory of 3908	3436	CMD.exe	107
PID 3436 wrote to memory of 3908	3436	CMD.exe	107
PID 2644 wrote to memory of 4204	2644	Client.exe	108
PID 2644 wrote to memory of 4204	2644	Client.exe	108
PID 4204 wrote to memory of 3348	4204	CMD.exe	110
PID 4204 wrote to memory of 3348	4204	CMD.exe	110
PID 2644 wrote to memory of 1036	2644	Client.exe	111
PID 2644 wrote to memory of 1036	2644	Client.exe	111
PID 1036 wrote to memory of 1584	1036	CMD.exe	113
PID 1036 wrote to memory of 1584	1036	CMD.exe	113
PID 2644 wrote to memory of 4876	2644	Client.exe	114
PID 2644 wrote to memory of 4876	2644	Client.exe	114
PID 4876 wrote to memory of 4880	4876	CMD.exe	116
PID 4876 wrote to memory of 4880	4876	CMD.exe	116
PID 2644 wrote to memory of 3268	2644	Client.exe	117
PID 2644 wrote to memory of 3268	2644	Client.exe	117
PID 3268 wrote to memory of 4464	3268	CMD.exe	119
PID 3268 wrote to memory of 4464	3268	CMD.exe	119
PID 2644 wrote to memory of 1368	2644	Client.exe	120
PID 2644 wrote to memory of 1368	2644	Client.exe	120
PID 1368 wrote to memory of 4004	1368	CMD.exe	122
PID 1368 wrote to memory of 4004	1368	CMD.exe	122
PID 2644 wrote to memory of 1280	2644	Client.exe	123
PID 2644 wrote to memory of 1280	2644	Client.exe	123
PID 1280 wrote to memory of 1108	1280	CMD.exe	125
PID 1280 wrote to memory of 1108	1280	CMD.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4280
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3720
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3692
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4260
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1172
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1580
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2916
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3348
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1584
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4880
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4464
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1108
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4544
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:564
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2124
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3044
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2376
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3664
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3536
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3588
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4868
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4692
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3172
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4824
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:1952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4664
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4608
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1924
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:8
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3368
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4596
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3456
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:3104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4912
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1276
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
  2⤵
  PID:4152
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/2644-0-0x0000000000AB0000-0x0000000000B08000-memory.dmp

Filesize
352KB

Download
memory/2644-1-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

Filesize
8KB

Download
memory/2644-19-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

Filesize
10.8MB

Download
memory/2644-196-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads