4e1663b571d65e76b431b1167aac3670a76ed0a8612972c6e3615cb4e32a1966

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75dd271f5ec4b5b321661e3de6a25331.exe
Size

412KB
MD5

75dd271f5ec4b5b321661e3de6a25331
SHA1

eccf1c70ecb19c537ec5269863b998cc84acb4de
SHA256

4e1663b571d65e76b431b1167aac3670a76ed0a8612972c6e3615cb4e32a1966
SHA512

6f540edd92932cdc8a105be2741b33464836080f90e373bfe2e825b6dceac0915ffdc97404e9ce333185f8bdbc50dab0d1b22493c87e5180cc3aa584c4b850d7
SSDEEP

6144:ryOilt0zY2NpUy3bz6aDXLagSzDBRBBAYDm7V1/s1L4KKdAfwB+mikNPl11Pr3:eO2t0Mipf3SmXV8BHm7Va4vmwB+98/1D

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HDVNCRun.exe

Executes dropped EXE 64 IoCs

pid	Process
2444	HDVNCRun.exe
2672	HDVNCRun.exe
2212	HDVNCRun.exe
2628	HDVNCRun.exe
2724	hdvncrun.exe
3004	winvnc.exe
2616	hdvncrun.exe
2844	winvnc.exe
2892	hdvncrun.exe
1520	winvnc.exe
2592	hdvncrun.exe
2000	winvnc.exe
2028	hdvncrun.exe
1232	winvnc.exe
2500	hdvncrun.exe
1824	winvnc.exe
1820	hdvncrun.exe
1412	winvnc.exe
2156	hdvncrun.exe
980	winvnc.exe
1548	hdvncrun.exe
1616	winvnc.exe
1608	hdvncrun.exe
1504	winvnc.exe
1760	hdvncrun.exe
1492	winvnc.exe
2332	hdvncrun.exe
2432	winvnc.exe
2084	hdvncrun.exe
2928	winvnc.exe
3056	hdvncrun.exe
2936	winvnc.exe
636	hdvncrun.exe
1816	winvnc.exe
3044	hdvncrun.exe
2392	winvnc.exe
1096	hdvncrun.exe
1712	winvnc.exe
1048	hdvncrun.exe
1392	winvnc.exe
848	hdvncrun.exe
1656	winvnc.exe
1740	hdvncrun.exe
1008	winvnc.exe
988	hdvncrun.exe
1364	winvnc.exe
1868	hdvncrun.exe
2312	winvnc.exe
2912	hdvncrun.exe
1640	winvnc.exe
1648	hdvncrun.exe
900	winvnc.exe
2972	hdvncrun.exe
688	winvnc.exe
2124	hdvncrun.exe
1328	winvnc.exe
1972	hdvncrun.exe
2512	winvnc.exe
2984	hdvncrun.exe
1692	winvnc.exe
2292	hdvncrun.exe
1480	winvnc.exe
876	hdvncrun.exe
1736	winvnc.exe

Loads dropped DLL 64 IoCs

pid	Process
1756	75dd271f5ec4b5b321661e3de6a25331.exe
1756	75dd271f5ec4b5b321661e3de6a25331.exe
2444	HDVNCRun.exe
2444	HDVNCRun.exe
2444	HDVNCRun.exe
2444	HDVNCRun.exe
2672	HDVNCRun.exe
2672	HDVNCRun.exe
2672	HDVNCRun.exe
2672	HDVNCRun.exe
2672	HDVNCRun.exe
2672	HDVNCRun.exe
2212	HDVNCRun.exe
2212	HDVNCRun.exe
2212	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\helpdesk.txt	HDVNCRun.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\sound.wav	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\splash.jpg	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\rc4.key	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\icon2.ico	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\HDVNCRun.ini	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\HDVNCRun.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\rc4.key	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\icon2.ico	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\winvnc.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\HDVNCRun.ini	hdvncrun.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\cad.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\UnZip32.dll	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\HDVNCRun.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\UnZip32.dll	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe
2628	HDVNCRun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe
Token: SeTcbPrivilege	2628	HDVNCRun.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2444	HDVNCRun.exe
2444	HDVNCRun.exe
2444	HDVNCRun.exe
2672	HDVNCRun.exe
2212	HDVNCRun.exe
2628	HDVNCRun.exe
2724	hdvncrun.exe
2724	hdvncrun.exe
2616	hdvncrun.exe
2616	hdvncrun.exe
2892	hdvncrun.exe
2892	hdvncrun.exe
2592	hdvncrun.exe
2592	hdvncrun.exe
2028	hdvncrun.exe
2028	hdvncrun.exe
2500	hdvncrun.exe
2500	hdvncrun.exe
1820	hdvncrun.exe
1820	hdvncrun.exe
2156	hdvncrun.exe
2156	hdvncrun.exe
1548	hdvncrun.exe
1548	hdvncrun.exe
1608	hdvncrun.exe
1608	hdvncrun.exe
1760	hdvncrun.exe
1760	hdvncrun.exe
2332	hdvncrun.exe
2332	hdvncrun.exe
2084	hdvncrun.exe
2084	hdvncrun.exe
3056	hdvncrun.exe
3056	hdvncrun.exe
636	hdvncrun.exe
636	hdvncrun.exe
3044	hdvncrun.exe
3044	hdvncrun.exe
1096	hdvncrun.exe
1096	hdvncrun.exe
1048	hdvncrun.exe
1048	hdvncrun.exe
848	hdvncrun.exe
848	hdvncrun.exe
1740	hdvncrun.exe
1740	hdvncrun.exe
988	hdvncrun.exe
988	hdvncrun.exe
1868	hdvncrun.exe
1868	hdvncrun.exe
2912	hdvncrun.exe
2912	hdvncrun.exe
1648	hdvncrun.exe
1648	hdvncrun.exe
2972	hdvncrun.exe
2972	hdvncrun.exe
2124	hdvncrun.exe
2124	hdvncrun.exe
1972	hdvncrun.exe
1972	hdvncrun.exe
2984	hdvncrun.exe
2984	hdvncrun.exe
2292	hdvncrun.exe
2292	hdvncrun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 1756 wrote to memory of 2444	1756	75dd271f5ec4b5b321661e3de6a25331.exe	28
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2444 wrote to memory of 2672	2444	HDVNCRun.exe	29
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2672 wrote to memory of 2212	2672	HDVNCRun.exe	30
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2212 wrote to memory of 2548	2212	HDVNCRun.exe	31
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2548 wrote to memory of 2604	2548	net.exe	33
PID 2628 wrote to memory of 2724	2628	HDVNCRun.exe	35
PID 2628 wrote to memory of 2724	2628	HDVNCRun.exe	35
PID 2628 wrote to memory of 2724	2628	HDVNCRun.exe	35
PID 2628 wrote to memory of 2724	2628	HDVNCRun.exe	35
PID 2628 wrote to memory of 3004	2628	HDVNCRun.exe	36
PID 2628 wrote to memory of 3004	2628	HDVNCRun.exe	36
PID 2628 wrote to memory of 3004	2628	HDVNCRun.exe	36
PID 2628 wrote to memory of 3004	2628	HDVNCRun.exe	36
PID 2628 wrote to memory of 2616	2628	HDVNCRun.exe	37
PID 2628 wrote to memory of 2616	2628	HDVNCRun.exe	37
PID 2628 wrote to memory of 2616	2628	HDVNCRun.exe	37
PID 2628 wrote to memory of 2616	2628	HDVNCRun.exe	37
PID 2628 wrote to memory of 2844	2628	HDVNCRun.exe	38
PID 2628 wrote to memory of 2844	2628	HDVNCRun.exe	38
PID 2628 wrote to memory of 2844	2628	HDVNCRun.exe	38
PID 2628 wrote to memory of 2844	2628	HDVNCRun.exe	38
PID 2628 wrote to memory of 2892	2628	HDVNCRun.exe	39
PID 2628 wrote to memory of 2892	2628	HDVNCRun.exe	39
PID 2628 wrote to memory of 2892	2628	HDVNCRun.exe	39
PID 2628 wrote to memory of 2892	2628	HDVNCRun.exe	39
PID 2628 wrote to memory of 1520	2628	HDVNCRun.exe	40
PID 2628 wrote to memory of 1520	2628	HDVNCRun.exe	40
PID 2628 wrote to memory of 1520	2628	HDVNCRun.exe	40
PID 2628 wrote to memory of 1520	2628	HDVNCRun.exe	40
PID 2628 wrote to memory of 2592	2628	HDVNCRun.exe	41
PID 2628 wrote to memory of 2592	2628	HDVNCRun.exe	41
PID 2628 wrote to memory of 2592	2628	HDVNCRun.exe	41
PID 2628 wrote to memory of 2592	2628	HDVNCRun.exe	41
PID 2628 wrote to memory of 2000	2628	HDVNCRun.exe	42

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\BackupConsentPromptBehaviorAdmin = "5"	HDVNCRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HDVNCRun.exe

C:\Users\Admin\AppData\Local\Temp\75dd271f5ec4b5b321661e3de6a25331.exe
"C:\Users\Admin\AppData\Local\Temp\75dd271f5ec4b5b321661e3de6a25331.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1756
- \??\c:\progra~1\remotehelp36\HDVNCRun.exe
  .\HDVNCRun.exe /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - \??\c:\progra~1\remotehelp36\HDVNCRun.exe
    c:\progra~1\remotehelp36\HDVNCRun.exe -installserviceadmin
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\progra~1\remotehelp36\HDVNCRun.exe
      "C:\progra~1\remotehelp36\HDVNCRun.exe" /installservice
      4⤵
      UAC bypass
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2212
    - - C:\Windows\SysWOW64\net.exe
        
        net start HelpDeskVNCV3
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start HelpDeskVNCV3
        6⤵
        
        PID:2604

\??\c:\progra~1\remotehelp36\HDVNCRun.exe
c:\progra~1\remotehelp36\HDVNCRun.exe /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2724
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3004
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2616
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2844
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2892
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2028
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1232
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2500
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1820
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1412
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2156
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:980
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1548
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1616
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1608
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1760
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1492
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2332
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2432
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2084
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3056
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2936
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:636
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1816
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3044
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2392
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1096
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1048
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1392
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1656
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:988
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1364
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1868
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2312
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1640
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1648
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:900
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2972
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:688
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2124
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1328
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1972
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2512
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2984
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1692
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2292
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1480
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  PID:876
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2092
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2204
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2032
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2812
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2520
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1688
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2472
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2040
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2776
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2792
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2132
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:3052
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2820
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2796
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2772
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2752
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2560
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2384
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2656
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2876
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3028
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1956
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2692
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2572
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2600
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2548
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2396
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1748
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2716
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2836
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2344
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1920
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:516
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:580
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:904
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1240
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:240
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1828
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1380
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1612
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2760
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2860
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2884
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2844
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1728
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2832
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1520
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1996
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2492
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2272
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2504
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2200
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1156
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2004
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1976
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:756
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2456
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:892
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1952
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1336
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:108
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2484
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:628
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1448
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1912
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1284
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2416
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2940
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2928
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2944
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1316
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1816
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2392
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:440
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1572
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:684
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1528
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2116
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1720
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1540
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2376
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\remotehelp36\HDVNCRun.ini

Filesize
1KB

MD5
08c8f44426c908bb53d642342662b8e2

SHA1
1f8f0a77bd006be13bf8c5eaa110afad710f315b

SHA256
3e31d530254a98da0390df42ff255b04f95a8fc2a1884bde890ff29f52b2f86d

SHA512
b6d00bdeb22720460026665f54d927b82d4ff620b2e1474002b999f708b6da84294f1dae86fec5409c0d4802d1cc9cfebabf560f6069702ea6209a57d1570e4c

Download Submit
\??\c:\progra~1\remotehelp36\HDVNCRun.ini

Filesize
1KB

MD5
943eedac078b526b54a8bc9ac67ecaec

SHA1
b9085fa92033eec66f2bc6db75cb20854d011511

SHA256
3a7791194fcbf94aa64053fa18880f28664dd19fd2f5065853f1ba4b6da067e0

SHA512
ac55bbf2d73fd630e19ecdf0fec6b31bcb16f0f4fdf80702f685bbb11cfa0838d68e28114b67dbfa838e5274031d73333a3eb5a6aa71a1a3af7ea4a25602d517

Download Submit
\??\c:\progra~1\remotehelp36\helpdesk.txt

Filesize
553B

MD5
780c55703bd34190cbbbc7c6bc0c10f9

SHA1
01aa150b2f0cce4542294be03f91927db7354200

SHA256
0fdf2d176e724a48cb9688dafa6e7e98adb86d7e9c6dc7b3b1321afc52207eed

SHA512
031dcb673bed72940bdd9245624d4ac7998473cf9c1fc558d08f84f2d61c93e3bcaedf14687959f102202d87f0e1926efbe6041afaecc7936f22403ee1b6754b

Download Submit
\??\c:\progra~1\remotehelp36\helpdesk.txt

Filesize
561B

MD5
910f637807b80c8d2ea703bfec574c3e

SHA1
bf49ec0cee0ec23b022cf2da2cbedd24047dda85

SHA256
5b833119aa4230be152872ab82cc19d868b734c0d0d0a74fb83a0ce11127e718

SHA512
8dd5ac8e19c9dcb5f53925b6894b984731c2a4538e5f8af37813f8db3fd74ba1142fe8b246e0c56c436c8e21e19e5f70786c7c687d479567cf3c3aeba4d0b4f7

Download Submit
\??\c:\progra~1\remotehelp36\splash.jpg

Filesize
4KB

MD5
8bd0265e477fac89844f247d509e689f

SHA1
eddb9593721384fdd87954e99754a6206a3b719e

SHA256
47daa0441e35b0113442a27d33707a3ff6ddb7a5d56efa3be31c035e8dfb6d5a

SHA512
c77f19f72202391011acb12941c2f0d65090ea2d87219ee80848a455e05519109c4d013764773017590140a94f3389c0185c2e63d7854bf5eac7f6c181e2db01

Download Submit
\PROGRA~1\remotehelp36\HDVNCRun.exe

Filesize
160KB

MD5
b51fd23f85bce01f55a41952ef82a471

SHA1
1e5242faa214b8ec94df48d3641db12b67b4c95f

SHA256
8bb928f92f87b5c968daf510d0e0c87563e0d8fa5ddf9a49616b29bf8a0f3c88

SHA512
9d50b552ab6409595d8bb9f86068b38157084541289e0232e2c15d683e801a2d7efc6b2047f73c84bf81c64a62529f9bc60487bb7600fd664e6c0d08ead621cd

Download Submit
\PROGRA~1\remotehelp36\winvnc.exe

Filesize
508KB

MD5
3bee39a195f797edebdfef6b31f9aa95

SHA1
4367fc1d8e0db7c1136f0bb89614ac92785ff498

SHA256
587d1afbb8f97894f38b37ea4af66fc754ca5753c2183e2cb058b9e698c9b044

SHA512
9541e88f112d9cf247b6552c6685fbbcf808576c77d707356292481e1aaa7758636935a7f8463681b486b021d97f35dd0e82487bd07f7819c414b23814a04cf6

Download Submit