servhelper | 153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772

Analysis

max time kernel
125s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe
Size

4.7MB
MD5

178e442aa91768f00d754b395bb5c89e
SHA1

ff7ea0a36080deb166178b7fca97d33955d55dfa
SHA256

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
SHA512

2db61a73bc22cc283aee3bdb8420ca9f5617869afa1df74fc8672c7fce9ac014ead0be496de8bfa7764f4ba5288b6f87db142d4791a505a969daea95df7cbca6

Score

10^/10

servhelper backdoor discovery exploit persistence trojan

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 3 IoCs

Processes:

NisSrv.comNisSrv.comipconfig.exe

pid	Process
3372	NisSrv.com
2564	NisSrv.com
4600	ipconfig.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
4920	icacls.exe
3860	icacls.exe
1292	takeown.exe
4228	icacls.exe
4180	icacls.exe
2892	icacls.exe
2844	icacls.exe
2588	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe

Drops startup file 1 IoCs

Processes:

NisSrv.com

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyIGmHfccK.url	NisSrv.com

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
4228	icacls.exe
4180	icacls.exe
2892	icacls.exe
2844	icacls.exe
2588	icacls.exe
4920	icacls.exe
3860	icacls.exe
1292	takeown.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rfxvmt.dll	powershell.exe
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

NisSrv.com

description	pid	Process	procid_target
PID 2564 set thread context of 4600	2564	NisSrv.com	94

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exe

pid	Process
4600	ipconfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2036	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
852	PING.EXE
3044	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1376	powershell.exe
1376	powershell.exe
452	powershell.exe
452	powershell.exe
4648	powershell.exe
4648	powershell.exe
5004	powershell.exe
5004	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
648

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NisSrv.com

pid	Process
2564	NisSrv.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exe

description	pid	Process
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	4180	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.execmd.execmd.exeNisSrv.comNisSrv.comipconfig.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 3296 wrote to memory of 1484	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	79
PID 3296 wrote to memory of 1484	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	79
PID 3296 wrote to memory of 1484	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	79
PID 3296 wrote to memory of 1440	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	81
PID 3296 wrote to memory of 1440	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	81
PID 3296 wrote to memory of 1440	3296	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	81
PID 1440 wrote to memory of 5076	1440	cmd.exe	83
PID 1440 wrote to memory of 5076	1440	cmd.exe	83
PID 1440 wrote to memory of 5076	1440	cmd.exe	83
PID 5076 wrote to memory of 852	5076	cmd.exe	84
PID 5076 wrote to memory of 852	5076	cmd.exe	84
PID 5076 wrote to memory of 852	5076	cmd.exe	84
PID 5076 wrote to memory of 812	5076	cmd.exe	85
PID 5076 wrote to memory of 812	5076	cmd.exe	85
PID 5076 wrote to memory of 812	5076	cmd.exe	85
PID 5076 wrote to memory of 3372	5076	cmd.exe	86
PID 5076 wrote to memory of 3372	5076	cmd.exe	86
PID 5076 wrote to memory of 3372	5076	cmd.exe	86
PID 5076 wrote to memory of 3044	5076	cmd.exe	87
PID 5076 wrote to memory of 3044	5076	cmd.exe	87
PID 5076 wrote to memory of 3044	5076	cmd.exe	87
PID 3372 wrote to memory of 2564	3372	NisSrv.com	88
PID 3372 wrote to memory of 2564	3372	NisSrv.com	88
PID 3372 wrote to memory of 2564	3372	NisSrv.com	88
PID 2564 wrote to memory of 4600	2564	NisSrv.com	94
PID 2564 wrote to memory of 4600	2564	NisSrv.com	94
PID 2564 wrote to memory of 4600	2564	NisSrv.com	94
PID 2564 wrote to memory of 4600	2564	NisSrv.com	94
PID 4600 wrote to memory of 1376	4600	ipconfig.exe	95
PID 4600 wrote to memory of 1376	4600	ipconfig.exe	95
PID 4600 wrote to memory of 1376	4600	ipconfig.exe	95
PID 1376 wrote to memory of 3784	1376	powershell.exe	97
PID 1376 wrote to memory of 3784	1376	powershell.exe	97
PID 1376 wrote to memory of 3784	1376	powershell.exe	97
PID 3784 wrote to memory of 2496	3784	csc.exe	98
PID 3784 wrote to memory of 2496	3784	csc.exe	98
PID 3784 wrote to memory of 2496	3784	csc.exe	98
PID 1376 wrote to memory of 452	1376	powershell.exe	99
PID 1376 wrote to memory of 452	1376	powershell.exe	99
PID 1376 wrote to memory of 452	1376	powershell.exe	99
PID 1376 wrote to memory of 4648	1376	powershell.exe	101
PID 1376 wrote to memory of 4648	1376	powershell.exe	101
PID 1376 wrote to memory of 4648	1376	powershell.exe	101
PID 1376 wrote to memory of 5004	1376	powershell.exe	103
PID 1376 wrote to memory of 5004	1376	powershell.exe	103
PID 1376 wrote to memory of 5004	1376	powershell.exe	103
PID 1376 wrote to memory of 1292	1376	powershell.exe	105
PID 1376 wrote to memory of 1292	1376	powershell.exe	105
PID 1376 wrote to memory of 1292	1376	powershell.exe	105
PID 1376 wrote to memory of 4228	1376	powershell.exe	106
PID 1376 wrote to memory of 4228	1376	powershell.exe	106
PID 1376 wrote to memory of 4228	1376	powershell.exe	106
PID 1376 wrote to memory of 4180	1376	powershell.exe	107
PID 1376 wrote to memory of 4180	1376	powershell.exe	107
PID 1376 wrote to memory of 4180	1376	powershell.exe	107
PID 1376 wrote to memory of 2892	1376	powershell.exe	108
PID 1376 wrote to memory of 2892	1376	powershell.exe	108
PID 1376 wrote to memory of 2892	1376	powershell.exe	108
PID 1376 wrote to memory of 2844	1376	powershell.exe	109
PID 1376 wrote to memory of 2844	1376	powershell.exe	109
PID 1376 wrote to memory of 2844	1376	powershell.exe	109
PID 1376 wrote to memory of 2588	1376	powershell.exe	110
PID 1376 wrote to memory of 2588	1376	powershell.exe	110
PID 1376 wrote to memory of 2588	1376	powershell.exe	110

C:\Users\Admin\AppData\Local\Temp\153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe
"C:\Users\Admin\AppData\Local\Temp\153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo qIKXL
  2⤵
  PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < TUXWQNTevtbkTvanZiBxZRaCwLXTRQVANFwFDEEDmYGDhFs.bmrhtLVwCxVyQZlGpXnhxMVxCXVwkPgcxpvaNHcwKq
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 CpD.RKWigx
      4⤵
      Runs ping.exe
      PID:852
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode kalLzATvQOcyNnPvDVKxJFDNeYNDhETEMKpTRwhMRLyJRhrC.AJdMvgFObJcMdojVRargWEBHXDXmUVOUkOMVCRfcDyx IG
      4⤵
      PID:812
  - - C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com
      NisSrv.com IG
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com
        
        C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com IG
        5⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\ipconfig.exe
        
        C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\ipconfig.exe
        6⤵
        Executes dropped EXE
        Gathers network information
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
        7⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gdv4qnb\3gdv4qnb.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC890.tmp" "c:\Users\Admin\AppData\Local\Temp\3gdv4qnb\CSCFD6FE10DE1D242D49A6E2EC6794AEA3C.TMP"
        9⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\SysWOW64\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1292
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4228
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2892
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2844
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2588
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4920
        
        C:\Windows\SysWOW64\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        8⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        8⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        8⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net start rdpdr
        9⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        10⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        11⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c net start TermService
        9⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\net.exe
        
        net start TermService
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        8⤵
        
        PID:1424
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
e2e6bbdcc5cb2b2a8e58e62380cbdeeb

SHA1
fd3b0bbf8d08573d022e54ceb111e4dfe93ff752

SHA256
2cf90543f0e785093db02f3ce60471d639ec8e5030a2ea0d70187ce55c248cf2

SHA512
82ff827ccb3eb01f00713dfcf4d2ef8107c86d206698a366293bb723e36d9a20dba44c818d40e79824fd72c76987e71d69565a3079bccaaa0626d64a13014317

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gdv4qnb\3gdv4qnb.dll

Filesize
3KB

MD5
6465a0e55eb60382c67bf539af81433d

SHA1
1f77a6b06d83fbe9e14bd051ec93ae343d4d46d9

SHA256
7302948be8f514776c374e5fe51bacce3c7e2fd5f786c52fd163068acfcec383

SHA512
1c1b58338b9e0f8257e5e799348f7956e4a24c102cb164adc098b4d7b7745fdd00db6e80928faa1e2d3d7f8b8d910995ee79b22b02f211ec7a61f204083af5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\IG

Filesize
688KB

MD5
28a80c7500e5f1a51a79c04e778b129a

SHA1
9e06a9897adc6eb312253efcc68f3e796c99fdc4

SHA256
48347e1b79b1b1c0b7f013b1529bcec47329b952107d5be4bc0dbba74a5424b6

SHA512
cdf08c89da3fc257751ed4967e16f2fbfca8225f9f243b56b08d6476080900eaf0c5f19d20da368273a650347b698d0e41f56cde931d70a5bd4e838bf002fe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\LnlAyejloDZjcabcwsiNXbHfyakxJCJI.RcYGcCOqLBitFsvcHCbTyngRUxNQSAFTdmDWnOGPzM

Filesize
917KB

MD5
b66801f8eef442b1e664f189c16e7f78

SHA1
241c92e2343630ad6b3d80daf6c96c590f60ed2d

SHA256
4b99e26b74e219107c6e804d16cbfb5573fed5e1eeb7c9b6158cc0d89a8b6edd

SHA512
1c4c45f2eb1b95c37b710a06f92ee63235895e6e0d2556fdb620bb1406c60f21cb34ca8c6ea2b9d802e1acc4b2566cee8a94119a3a129288727856c67302c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\TUXWQNTevtbkTvanZiBxZRaCwLXTRQVANFwFDEEDmYGDhFs.bmrhtLVwCxVyQZlGpXnhxMVxCXVwkPgcxpvaNHcwKq

Filesize
4KB

MD5
da8b22fac5b55784d0fbd13f3dec5a7b

SHA1
558d61ee117e2ad110f16d37cf467c2eef8dcf0b

SHA256
3da74cd8116929b271ff972e0f7d647556ce040f0c42014acaf88307b72100a8

SHA512
0a1129fb2468f5ca9cb7a97158186cb2afcdcec50050bc4bbb7eacf7f548d406dd56813585a7589267fbfbd3f73a4887394aecc1b4a69d229f5bfaee7f06840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\ipconfig.exe

Filesize
28KB

MD5
3a3b9a5e00ef6a3f83bf300e2b6b67bb

SHA1
261127183df2987de2239806dd74fe624c430608

SHA256
87b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81

SHA512
21df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\kalLzATvQOcyNnPvDVKxJFDNeYNDhETEMKpTRwhMRLyJRhrC.AJdMvgFObJcMdojVRargWEBHXDXmUVOUkOMVCRfcDyx

Filesize
946KB

MD5
c7a34ebd14db0c22d5566f79c9f615e8

SHA1
733e005d41c2859064cae874389eaff21a207cf3

SHA256
2ce950f5f99c6c8c60dacbb2d645c83bcf4c267b70e15fddd54a3a125e14d5ce

SHA512
b9e3467aa266f8ee9cedb641b889031a3c02dd7118cc614c6b971bcbb8672e9b268732a383617a6dd2617530495388a55249d0d4826173e1999f23d5179827d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\uiMqOXolVgOuNmWSWIAajzsJUNwTnEH.RlQdeFqcDwZkvzjfeptDffuNPeuwWfMsGjg

Filesize
3.8MB

MD5
08c4484ecf3d845fa964a86efae56220

SHA1
0cbb9518f98963393dccc8fea430b3b21e276add

SHA256
5d5fc5f305338b316f88c9e4e7a4f93b69d62d1a0f395f938d7a99b1c622c02e

SHA512
f8c0f267614e45c0a2c92bb49d1f0d085fddaf6f0b069d748740251fc2bb80781b5fafb536a2d7935b4345f638d282d99f0408ff239bb007d036c556c42425c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC890.tmp

Filesize
1KB

MD5
d149608461652cbe917bed241b9810e6

SHA1
d682789450797998665d4f6c6c6b1f4d459b7c34

SHA256
219cbf9b6a9a6e5ef1b4cf0abb71a05ee92da8e69b91c614ab6acbaf0017686d

SHA512
984b6acda33454840ededed9e57eb7365f441e0d69aaa91fd869791d85fe946ed653fde3150f3003fb0fce15a66ea23b81da1479016fc0c68630594e1d6cf0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
2.5MB

MD5
3d35069362f7ed5b63792e98fc05bbfd

SHA1
f8e154d21efdc10e63a92a8c79f58b7500400659

SHA256
987584a98850e15d016fddc264735c54b514d06c6a2fe83de1e9d8a0310b2082

SHA512
1cf1c98f01626aa835b0e53511c91150a7c718c9cd4be329759af6fc4d596c3e14ae50b15d7fba104b371b1e554160488bb59d5128bfc3e0fa89a7a5e33a7a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip

Filesize
1.9MB

MD5
27520dd0b047eb7628f26120ddc120ed

SHA1
ef04cce914946fc75d269e11006c968d2602329d

SHA256
893e5fb8894f38b0970b4bf9ecaa18f72f6db78fd21a67a7ca2feac839709e3d

SHA512
89e9f29ec8fd2f18b1f69325b07be12afe5c1597f2fe4057f2dbaeb2f0a497b73d06cbc989833c610613aa40d0d67debea9796ececf45ad25a8409d4ec5b7a78

Download Submit
C:\Windows\SysWOW64\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3gdv4qnb\3gdv4qnb.0.cs

Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3gdv4qnb\3gdv4qnb.cmdline

Filesize
369B

MD5
12acb9e54b1146f1914479369fced862

SHA1
d0c7d7063881add86cc84bce94dd952b40325923

SHA256
c26d0c5c5b3e3c6c4b0aeccb6fadbd8391ace30121ff34e007376de6d4a25d33

SHA512
cc2077b8d1d7291903cc07aa9ac79c79c772324fdd86a2682e0c14db901cfbe9d480da7c22abf2acc73ef77686eb46ad83de5884da1e32aba865b666b937d5dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3gdv4qnb\CSCFD6FE10DE1D242D49A6E2EC6794AEA3C.TMP

Filesize
652B

MD5
e9ec7dfeaa1314b473d8d77d79af8dc9

SHA1
58bd8c94d469332323d0528e7172b0caf22ec76e

SHA256
c8556a28f1a6a619d7002a0be359bcbed2ccb5040cc117e39337027fa67c2d63

SHA512
51b10e9e446f5ff14760a4dee3bae55e315d87e86e176854541f97d5de16775919d01ba64fb575ea474da08776e6bd6bbd999a35e91492e3051b2a81e5473ade

Download Submit
memory/216-207-0x0000000000000000-mapping.dmp

Download
memory/452-172-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/452-178-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/452-175-0x0000000006F80000-0x0000000006F8A000-memory.dmp

Filesize
40KB

Download
memory/452-174-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

Filesize
120KB

Download
memory/452-173-0x0000000071630000-0x0000000071984000-memory.dmp

Filesize
3.3MB

Download
memory/452-177-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/452-171-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

Filesize
200KB

Download
memory/452-176-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/452-179-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/452-168-0x0000000002E45000-0x0000000002E47000-memory.dmp

Filesize
8KB

Download
memory/452-167-0x0000000000000000-mapping.dmp

Download
memory/812-204-0x0000000000000000-mapping.dmp

Download
memory/812-136-0x0000000000000000-mapping.dmp

Download
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/1292-190-0x0000000000000000-mapping.dmp

Download
memory/1376-151-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/1376-215-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/1376-166-0x0000000006B50000-0x0000000006B7C000-memory.dmp

Filesize
176KB

Download
memory/1376-189-0x0000000009960000-0x0000000009F04000-memory.dmp

Filesize
5.6MB

Download
memory/1376-158-0x0000000006AC0000-0x0000000006ADA000-memory.dmp

Filesize
104KB

Download
memory/1376-169-0x0000000005105000-0x0000000005107000-memory.dmp

Filesize
8KB

Download
memory/1376-157-0x0000000008D30000-0x00000000093AA000-memory.dmp

Filesize
6.5MB

Download
memory/1376-155-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/1376-154-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/1376-153-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/1376-152-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/1376-188-0x0000000008B20000-0x0000000008B42000-memory.dmp

Filesize
136KB

Download
memory/1376-150-0x0000000002F70000-0x0000000002FA6000-memory.dmp

Filesize
216KB

Download
memory/1376-216-0x0000000071630000-0x0000000071984000-memory.dmp

Filesize
3.3MB

Download
memory/1376-148-0x0000000000000000-mapping.dmp

Download
memory/1424-214-0x0000000000000000-mapping.dmp

Download
memory/1440-131-0x0000000000000000-mapping.dmp

Download
memory/1484-130-0x0000000000000000-mapping.dmp

Download
memory/2036-200-0x0000000000000000-mapping.dmp

Download
memory/2096-211-0x0000000000000000-mapping.dmp

Download
memory/2140-210-0x0000000000000000-mapping.dmp

Download
memory/2496-162-0x0000000000000000-mapping.dmp

Download
memory/2564-142-0x0000000000000000-mapping.dmp

Download
memory/2588-196-0x0000000000000000-mapping.dmp

Download
memory/2844-195-0x0000000000000000-mapping.dmp

Download
memory/2892-194-0x0000000000000000-mapping.dmp

Download
memory/3044-140-0x0000000000000000-mapping.dmp

Download
memory/3068-209-0x0000000000000000-mapping.dmp

Download
memory/3372-138-0x0000000000000000-mapping.dmp

Download
memory/3784-159-0x0000000000000000-mapping.dmp

Download
memory/3836-205-0x0000000000000000-mapping.dmp

Download
memory/3860-198-0x0000000000000000-mapping.dmp

Download
memory/3964-199-0x0000000000000000-mapping.dmp

Download
memory/4160-208-0x0000000000000000-mapping.dmp

Download
memory/4180-193-0x0000000000000000-mapping.dmp

Download
memory/4228-192-0x0000000000000000-mapping.dmp

Download
memory/4288-206-0x0000000000000000-mapping.dmp

Download
memory/4328-201-0x0000000000000000-mapping.dmp

Download
memory/4476-213-0x0000000000000000-mapping.dmp

Download
memory/4484-202-0x0000000000000000-mapping.dmp

Download
memory/4600-149-0x0000000000040000-0x000000000040F000-memory.dmp

Filesize
3.8MB

Download
memory/4600-146-0x0000000000000000-mapping.dmp

Download
memory/4648-180-0x0000000000000000-mapping.dmp

Download
memory/4648-182-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/4648-181-0x00000000047E5000-0x00000000047E7000-memory.dmp

Filesize
8KB

Download
memory/4648-183-0x0000000071630000-0x0000000071984000-memory.dmp

Filesize
3.3MB

Download
memory/4920-197-0x0000000000000000-mapping.dmp

Download
memory/5004-187-0x0000000071630000-0x0000000071984000-memory.dmp

Filesize
3.3MB

Download
memory/5004-184-0x0000000000000000-mapping.dmp

Download
memory/5004-185-0x0000000004C05000-0x0000000004C07000-memory.dmp

Filesize
8KB

Download
memory/5004-186-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/5076-133-0x0000000000000000-mapping.dmp

Download
memory/5092-203-0x0000000000000000-mapping.dmp

Download