Technical Information
- [HKLM\System\CurrentControlSet\Services\phrblxkfs] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\phrblxkfs] 'ImagePath' = '<SYSTEM32>\escalated.exe phrblxkfs'
- 'phrblxkfs' <SYSTEM32>\escalated.exe phrblxkfs
- <SYSTEM32>\escalated.exe
- from <Full path to file> to <SYSTEM32>\wostmp\_763257105_1857204185
- '1.###.248.27':27930
- '58.##.147.71':27930
- '22#.#1.122.230':27930
- '18#.#1.63.214':27930
- '18#.#8.212.176':27930
- '12#.#60.154.252':27930
- '11#.#10.212.150':27930
- '10#.#16.52.20':27930
- '98.##9.82.42':27930
- '59.##.201.97':27930
- '16#.#05.124.79':27930
- '17#.16.8.50':27930
- '<LOCALNET>.118.3':64108
- '<LOCALNET>.118.3':27930
- '10#.#1.194.192':16800
- '<LOCALNET>.118.2':27930
- '<LOCALNET>.118.1':27930
- '14.#92.2.37':27930
- '<LOCALNET>.118.0':27930
- '19#.#3.138.90':27930
- '61.##4.50.237':27930
- '<SYSTEM32>\escalated.exe' phrblxkfs