8bd8893f47bbc91bef5e7b9747ef4a7cf36c749a2c21c5af1e0dd297ddc20991

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

378KB
MD5

7b14a00f19e0fb39b84b37a9365d19ec
SHA1

c3bd379a385d4db71df719c25495aca101f3396d
SHA256

8bd8893f47bbc91bef5e7b9747ef4a7cf36c749a2c21c5af1e0dd297ddc20991
SHA512

a19ff44b31eed8a622c5e78a75c2d8132e2d29a051595e1d0fb9ab0b4f1144d561206ba3e8b3685903ff7c0dd85a2d979ce1548ff94a9da11a82aff614e01610
SSDEEP

6144:b0jZ/ce6pz9Jge6VlWT8b9qhlm23w3crW3rboZb:bYMpsPVle8YhLB/

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\xdwdBitdefender Antivirus.exe"	Client.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 44 IoCs

pid	Process
2676	Process not Found
4492	Process not Found
876	Process not Found
1392	Process not Found
3208	WmiApSrv.exe
924	Process not Found
540	Process not Found
3172	Process not Found
2760	Process not Found
1540	Process not Found
2132	Process not Found
3300	Process not Found
1520	Process not Found
1636	Process not Found
2100	Process not Found
1708	Process not Found
1944	Process not Found
3524	Process not Found
684	Process not Found
4568	Process not Found
1328	Process not Found
2892	Process not Found
548	Process not Found
4920	Process not Found
4036	Process not Found
2500	Process not Found
2748	Process not Found
1224	Process not Found
2364	Process not Found
4016	Process not Found
400	Process not Found
1592	Process not Found
4952	Process not Found
4400	Process not Found
3492	Process not Found
2088	Process not Found
3160	Process not Found
4016	Process not Found
4804	Process not Found
3964	Process not Found
3124	Process not Found
1812	Process not Found
4344	Process not Found
3416	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edge = "C:\\Users\\Admin\\Videos\\xdwdVirtualBox.exe"	Client.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\xdwdBitdefender Antivirus.exe	Client.exe
File opened for modification	C:\Windows\xdwdBitdefender Antivirus.exe	Client.exe
File created	C:\Windows\xdwd.dll	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1636	schtasks.exe
8	schtasks.exe
1928	schtasks.exe
1440	schtasks.exe
2132	schtasks.exe
4376	schtasks.exe
2780	schtasks.exe
3888	schtasks.exe
4496	schtasks.exe
404	schtasks.exe
2100	schtasks.exe
3536	schtasks.exe
1688	schtasks.exe
4036	schtasks.exe
4536	schtasks.exe
2340	schtasks.exe
3416	schtasks.exe
3928	schtasks.exe
1876	schtasks.exe
3020	schtasks.exe
4764	schtasks.exe
1744	schtasks.exe
4324	schtasks.exe
3300	schtasks.exe
4672	schtasks.exe
1948	schtasks.exe
860	schtasks.exe
668	schtasks.exe
3732	schtasks.exe
2996	schtasks.exe
4344	schtasks.exe
4296	schtasks.exe
4312	schtasks.exe
1788	schtasks.exe
840	schtasks.exe
1296	schtasks.exe
2024	schtasks.exe
2540	schtasks.exe
4000	schtasks.exe
4436	schtasks.exe
3452	schtasks.exe
1948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3208	WmiApSrv.exe
3208	WmiApSrv.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe
3040	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 5024	3040	Client.exe	96
PID 3040 wrote to memory of 5024	3040	Client.exe	96
PID 5024 wrote to memory of 1440	5024	CMD.exe	98
PID 5024 wrote to memory of 1440	5024	CMD.exe	98
PID 3040 wrote to memory of 4000	3040	Client.exe	100
PID 3040 wrote to memory of 4000	3040	Client.exe	100
PID 4000 wrote to memory of 2024	4000	CMD.exe	102
PID 4000 wrote to memory of 2024	4000	CMD.exe	102
PID 3040 wrote to memory of 1400	3040	Client.exe	103
PID 3040 wrote to memory of 1400	3040	Client.exe	103
PID 1400 wrote to memory of 2540	1400	CMD.exe	105
PID 1400 wrote to memory of 2540	1400	CMD.exe	105
PID 3040 wrote to memory of 1916	3040	Client.exe	108
PID 3040 wrote to memory of 1916	3040	Client.exe	108
PID 1916 wrote to memory of 2132	1916	CMD.exe	110
PID 1916 wrote to memory of 2132	1916	CMD.exe	110
PID 3040 wrote to memory of 2916	3040	Client.exe	112
PID 3040 wrote to memory of 2916	3040	Client.exe	112
PID 2916 wrote to memory of 4536	2916	CMD.exe	114
PID 2916 wrote to memory of 4536	2916	CMD.exe	114
PID 3040 wrote to memory of 1812	3040	Client.exe	119
PID 3040 wrote to memory of 1812	3040	Client.exe	119
PID 1812 wrote to memory of 1636	1812	CMD.exe	121
PID 1812 wrote to memory of 1636	1812	CMD.exe	121
PID 3040 wrote to memory of 4852	3040	Client.exe	122
PID 3040 wrote to memory of 4852	3040	Client.exe	122
PID 4852 wrote to memory of 4344	4852	CMD.exe	124
PID 4852 wrote to memory of 4344	4852	CMD.exe	124
PID 3040 wrote to memory of 4136	3040	Client.exe	127
PID 3040 wrote to memory of 4136	3040	Client.exe	127
PID 4136 wrote to memory of 4000	4136	CMD.exe	129
PID 4136 wrote to memory of 4000	4136	CMD.exe	129
PID 3040 wrote to memory of 1560	3040	Client.exe	131
PID 3040 wrote to memory of 1560	3040	Client.exe	131
PID 1560 wrote to memory of 1744	1560	CMD.exe	133
PID 1560 wrote to memory of 1744	1560	CMD.exe	133
PID 3040 wrote to memory of 32	3040	Client.exe	134
PID 3040 wrote to memory of 32	3040	Client.exe	134
PID 32 wrote to memory of 4376	32	CMD.exe	136
PID 32 wrote to memory of 4376	32	CMD.exe	136
PID 3040 wrote to memory of 1760	3040	Client.exe	137
PID 3040 wrote to memory of 1760	3040	Client.exe	137
PID 1760 wrote to memory of 2340	1760	CMD.exe	139
PID 1760 wrote to memory of 2340	1760	CMD.exe	139
PID 3040 wrote to memory of 3248	3040	Client.exe	140
PID 3040 wrote to memory of 3248	3040	Client.exe	140
PID 3248 wrote to memory of 2780	3248	CMD.exe	142
PID 3248 wrote to memory of 2780	3248	CMD.exe	142
PID 3040 wrote to memory of 2764	3040	Client.exe	143
PID 3040 wrote to memory of 2764	3040	Client.exe	143
PID 2764 wrote to memory of 3888	2764	CMD.exe	145
PID 2764 wrote to memory of 3888	2764	CMD.exe	145
PID 3040 wrote to memory of 1984	3040	Client.exe	146
PID 3040 wrote to memory of 1984	3040	Client.exe	146
PID 1984 wrote to memory of 3416	1984	CMD.exe	148
PID 1984 wrote to memory of 3416	1984	CMD.exe	148
PID 3040 wrote to memory of 1440	3040	Client.exe	149
PID 3040 wrote to memory of 1440	3040	Client.exe	149
PID 1440 wrote to memory of 4296	1440	CMD.exe	151
PID 1440 wrote to memory of 4296	1440	CMD.exe	151
PID 3040 wrote to memory of 3968	3040	Client.exe	152
PID 3040 wrote to memory of 3968	3040	Client.exe	152
PID 3968 wrote to memory of 3928	3968	CMD.exe	154
PID 3968 wrote to memory of 3928	3968	CMD.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Adobe Premiere Pro" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Adobe Premiere Pro" /tr "C:\Windows\xdwdBitdefender Antivirus.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1440
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2024
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Trello" /tr "C:\Users\Admin\Videos\xdwdVirtualBox.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Trello" /tr "C:\Users\Admin\Videos\xdwdVirtualBox.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2132
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4536
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1636
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4344
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4000
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1744
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4376
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2340
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4296
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:2500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4436
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:2236
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4324
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1876
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:2764
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1948
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:2948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3452
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:2000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4312
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3300
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:1812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4672
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4344
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1948
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1788
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4496
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1688
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3300
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3020
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3184
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3732
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:3136
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:8
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:5116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4776
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4764
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:1880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:404
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:1804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4204
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4036
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:1004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:840
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4512
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1296
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:4784
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2100
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST & exit
  2⤵
  PID:1852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "edge update" /tr "C:\Windows\xdwdBitdefender Antivirus.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/3040-0-0x00007FFC18A33000-0x00007FFC18A35000-memory.dmp

Filesize
8KB

Download
memory/3040-1-0x0000000000E80000-0x0000000000EE4000-memory.dmp

Filesize
400KB

Download
memory/3040-2-0x00007FFC18A33000-0x00007FFC18A35000-memory.dmp

Filesize
8KB

Download
memory/3040-18-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-137-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-978-0x0000000001570000-0x000000000157C000-memory.dmp

Filesize
48KB

Download
memory/3040-977-0x000000001C210000-0x000000001C286000-memory.dmp

Filesize
472KB

Download
memory/3040-979-0x00000000015A0000-0x00000000015BE000-memory.dmp

Filesize
120KB

Download