4e1663b571d65e76b431b1167aac3670a76ed0a8612972c6e3615cb4e32a1966

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75dd271f5ec4b5b321661e3de6a25331.exe
Size

412KB
MD5

75dd271f5ec4b5b321661e3de6a25331
SHA1

eccf1c70ecb19c537ec5269863b998cc84acb4de
SHA256

4e1663b571d65e76b431b1167aac3670a76ed0a8612972c6e3615cb4e32a1966
SHA512

6f540edd92932cdc8a105be2741b33464836080f90e373bfe2e825b6dceac0915ffdc97404e9ce333185f8bdbc50dab0d1b22493c87e5180cc3aa584c4b850d7
SSDEEP

6144:ryOilt0zY2NpUy3bz6aDXLagSzDBRBBAYDm7V1/s1L4KKdAfwB+mikNPl11Pr3:eO2t0Mipf3SmXV8BHm7Va4vmwB+98/1D

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	HDVNCRun.exe

Executes dropped EXE 64 IoCs

pid	Process
1064	HDVNCRun.exe
2312	HDVNCRun.exe
4916	HDVNCRun.exe
4656	HDVNCRun.exe
4012	hdvncrun.exe
3576	winvnc.exe
1336	winvnc.exe
1980	hdvncrun.exe
680	winvnc.exe
1736	hdvncrun.exe
2004	winvnc.exe
2372	hdvncrun.exe
532	hdvncrun.exe
4556	winvnc.exe
3840	hdvncrun.exe
2084	winvnc.exe
2180	hdvncrun.exe
1384	winvnc.exe
3996	hdvncrun.exe
4404	winvnc.exe
4000	hdvncrun.exe
816	winvnc.exe
4680	hdvncrun.exe
4960	winvnc.exe
5052	hdvncrun.exe
4436	winvnc.exe
2944	hdvncrun.exe
676	winvnc.exe
4172	hdvncrun.exe
3236	winvnc.exe
1564	hdvncrun.exe
4908	winvnc.exe
3848	hdvncrun.exe
208	winvnc.exe
840	hdvncrun.exe
2064	winvnc.exe
2996	hdvncrun.exe
1508	winvnc.exe
4848	hdvncrun.exe
4576	winvnc.exe
3180	hdvncrun.exe
1260	winvnc.exe
4356	hdvncrun.exe
3184	winvnc.exe
1160	hdvncrun.exe
1404	winvnc.exe
680	hdvncrun.exe
3592	winvnc.exe
912	hdvncrun.exe
1984	winvnc.exe
4832	hdvncrun.exe
4684	winvnc.exe
220	hdvncrun.exe
2976	winvnc.exe
3320	winvnc.exe
856	hdvncrun.exe
1860	hdvncrun.exe
4004	winvnc.exe
4080	hdvncrun.exe
2208	winvnc.exe
3244	hdvncrun.exe
2104	winvnc.exe
2468	hdvncrun.exe
4368	winvnc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\progra~1\remotehelp36\splash.jpg	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\icon1.ico	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\sound.wav	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\icon2.ico	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\UnZip32.dll	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\icon1.ico	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\splash.jpg	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\HDVNCRun.ini	hdvncrun.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\sound.wav	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\UnZip32.dll	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\winvnc.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\HDVNCRun.ini	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\winvnc.exe	75dd271f5ec4b5b321661e3de6a25331.exe
File created	\??\c:\progra~1\remotehelp36\helpdesk.txt	HDVNCRun.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\HDVNCRun.ini	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\rc4.key	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\rc4.key	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File created	\??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm	75dd271f5ec4b5b321661e3de6a25331.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe
File opened for modification	\??\c:\progra~1\remotehelp36\helpdesk.txt	winvnc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1064	HDVNCRun.exe
1064	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe
4656	HDVNCRun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe
Token: SeTcbPrivilege	4656	HDVNCRun.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1064	HDVNCRun.exe
1064	HDVNCRun.exe
1064	HDVNCRun.exe
2312	HDVNCRun.exe
4916	HDVNCRun.exe
4656	HDVNCRun.exe
4012	hdvncrun.exe
4012	hdvncrun.exe
1980	hdvncrun.exe
1980	hdvncrun.exe
1736	hdvncrun.exe
1736	hdvncrun.exe
2372	hdvncrun.exe
2372	hdvncrun.exe
532	hdvncrun.exe
532	hdvncrun.exe
3840	hdvncrun.exe
3840	hdvncrun.exe
2180	hdvncrun.exe
2180	hdvncrun.exe
3996	hdvncrun.exe
3996	hdvncrun.exe
4000	hdvncrun.exe
4000	hdvncrun.exe
4680	hdvncrun.exe
4680	hdvncrun.exe
5052	hdvncrun.exe
5052	hdvncrun.exe
2944	hdvncrun.exe
2944	hdvncrun.exe
4172	hdvncrun.exe
4172	hdvncrun.exe
1564	hdvncrun.exe
1564	hdvncrun.exe
3848	hdvncrun.exe
3848	hdvncrun.exe
840	hdvncrun.exe
840	hdvncrun.exe
2996	hdvncrun.exe
2996	hdvncrun.exe
4848	hdvncrun.exe
4848	hdvncrun.exe
3180	hdvncrun.exe
3180	hdvncrun.exe
4356	hdvncrun.exe
4356	hdvncrun.exe
1160	hdvncrun.exe
1160	hdvncrun.exe
680	hdvncrun.exe
680	hdvncrun.exe
912	hdvncrun.exe
912	hdvncrun.exe
4832	hdvncrun.exe
4832	hdvncrun.exe
220	hdvncrun.exe
220	hdvncrun.exe
856	hdvncrun.exe
856	hdvncrun.exe
1860	hdvncrun.exe
1860	hdvncrun.exe
4080	hdvncrun.exe
4080	hdvncrun.exe
3244	hdvncrun.exe
3244	hdvncrun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1064	1856	75dd271f5ec4b5b321661e3de6a25331.exe	85
PID 1856 wrote to memory of 1064	1856	75dd271f5ec4b5b321661e3de6a25331.exe	85
PID 1856 wrote to memory of 1064	1856	75dd271f5ec4b5b321661e3de6a25331.exe	85
PID 1064 wrote to memory of 2312	1064	HDVNCRun.exe	89
PID 1064 wrote to memory of 2312	1064	HDVNCRun.exe	89
PID 1064 wrote to memory of 2312	1064	HDVNCRun.exe	89
PID 2312 wrote to memory of 4916	2312	HDVNCRun.exe	90
PID 2312 wrote to memory of 4916	2312	HDVNCRun.exe	90
PID 2312 wrote to memory of 4916	2312	HDVNCRun.exe	90
PID 4916 wrote to memory of 2000	4916	HDVNCRun.exe	92
PID 4916 wrote to memory of 2000	4916	HDVNCRun.exe	92
PID 4916 wrote to memory of 2000	4916	HDVNCRun.exe	92
PID 2000 wrote to memory of 1824	2000	net.exe	94
PID 2000 wrote to memory of 1824	2000	net.exe	94
PID 2000 wrote to memory of 1824	2000	net.exe	94
PID 4656 wrote to memory of 4012	4656	HDVNCRun.exe	100
PID 4656 wrote to memory of 4012	4656	HDVNCRun.exe	100
PID 4656 wrote to memory of 4012	4656	HDVNCRun.exe	100
PID 4656 wrote to memory of 3576	4656	HDVNCRun.exe	101
PID 4656 wrote to memory of 3576	4656	HDVNCRun.exe	101
PID 4656 wrote to memory of 3576	4656	HDVNCRun.exe	101
PID 4656 wrote to memory of 1980	4656	HDVNCRun.exe	103
PID 4656 wrote to memory of 1980	4656	HDVNCRun.exe	103
PID 4656 wrote to memory of 1980	4656	HDVNCRun.exe	103
PID 4656 wrote to memory of 1336	4656	HDVNCRun.exe	104
PID 4656 wrote to memory of 1336	4656	HDVNCRun.exe	104
PID 4656 wrote to memory of 1336	4656	HDVNCRun.exe	104
PID 4656 wrote to memory of 1736	4656	HDVNCRun.exe	107
PID 4656 wrote to memory of 1736	4656	HDVNCRun.exe	107
PID 4656 wrote to memory of 1736	4656	HDVNCRun.exe	107
PID 4656 wrote to memory of 680	4656	HDVNCRun.exe	108
PID 4656 wrote to memory of 680	4656	HDVNCRun.exe	108
PID 4656 wrote to memory of 680	4656	HDVNCRun.exe	108
PID 4656 wrote to memory of 2372	4656	HDVNCRun.exe	109
PID 4656 wrote to memory of 2372	4656	HDVNCRun.exe	109
PID 4656 wrote to memory of 2372	4656	HDVNCRun.exe	109
PID 4656 wrote to memory of 2004	4656	HDVNCRun.exe	110
PID 4656 wrote to memory of 2004	4656	HDVNCRun.exe	110
PID 4656 wrote to memory of 2004	4656	HDVNCRun.exe	110
PID 4656 wrote to memory of 532	4656	HDVNCRun.exe	111
PID 4656 wrote to memory of 532	4656	HDVNCRun.exe	111
PID 4656 wrote to memory of 532	4656	HDVNCRun.exe	111
PID 4656 wrote to memory of 4556	4656	HDVNCRun.exe	112
PID 4656 wrote to memory of 4556	4656	HDVNCRun.exe	112
PID 4656 wrote to memory of 4556	4656	HDVNCRun.exe	112
PID 4656 wrote to memory of 3840	4656	HDVNCRun.exe	114
PID 4656 wrote to memory of 3840	4656	HDVNCRun.exe	114
PID 4656 wrote to memory of 3840	4656	HDVNCRun.exe	114
PID 4656 wrote to memory of 2084	4656	HDVNCRun.exe	113
PID 4656 wrote to memory of 2084	4656	HDVNCRun.exe	113
PID 4656 wrote to memory of 2084	4656	HDVNCRun.exe	113
PID 4656 wrote to memory of 2180	4656	HDVNCRun.exe	115
PID 4656 wrote to memory of 2180	4656	HDVNCRun.exe	115
PID 4656 wrote to memory of 2180	4656	HDVNCRun.exe	115
PID 4656 wrote to memory of 1384	4656	HDVNCRun.exe	116
PID 4656 wrote to memory of 1384	4656	HDVNCRun.exe	116
PID 4656 wrote to memory of 1384	4656	HDVNCRun.exe	116
PID 4656 wrote to memory of 3996	4656	HDVNCRun.exe	118
PID 4656 wrote to memory of 3996	4656	HDVNCRun.exe	118
PID 4656 wrote to memory of 3996	4656	HDVNCRun.exe	118
PID 4656 wrote to memory of 4404	4656	HDVNCRun.exe	117
PID 4656 wrote to memory of 4404	4656	HDVNCRun.exe	117
PID 4656 wrote to memory of 4404	4656	HDVNCRun.exe	117
PID 4656 wrote to memory of 4000	4656	HDVNCRun.exe	119

C:\Users\Admin\AppData\Local\Temp\75dd271f5ec4b5b321661e3de6a25331.exe
"C:\Users\Admin\AppData\Local\Temp\75dd271f5ec4b5b321661e3de6a25331.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1856
- \??\c:\progra~1\remotehelp36\HDVNCRun.exe
  .\HDVNCRun.exe /install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1064
- - \??\c:\progra~1\remotehelp36\HDVNCRun.exe
    c:\progra~1\remotehelp36\HDVNCRun.exe -installserviceadmin
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\progra~1\remotehelp36\HDVNCRun.exe
      "C:\progra~1\remotehelp36\HDVNCRun.exe" /installservice
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\net.exe
        
        net start HelpDeskVNCV3
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start HelpDeskVNCV3
        6⤵
        
        PID:1824

\??\c:\progra~1\remotehelp36\HDVNCRun.exe
c:\progra~1\remotehelp36\HDVNCRun.exe /service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4012
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3576
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1980
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1336
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1736
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:680
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2372
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2004
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4556
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2084
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3840
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2180
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1384
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3996
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4000
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:816
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4960
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4680
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5052
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4436
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2944
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:676
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4172
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3236
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3848
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:208
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:840
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2064
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2996
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1508
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4848
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4576
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1260
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3180
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4356
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1160
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:680
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:912
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1984
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4832
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:220
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:856
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3320
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4080
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3244
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2104
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  - Executes dropped EXE
  PID:2468
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3628
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1384
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4076
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4404
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1608
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:816
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4960
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1632
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4436
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2524
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4728
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:4976
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3292
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1248
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2684
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2460
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:5072
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4152
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2480
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:968
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3720
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4824
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4540
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1940
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:264
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1064
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1584
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:5012
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2596
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2052
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4452
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1240
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3552
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:3212
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4296
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1796
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:3896
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1080
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:724
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1624
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4628
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1164
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3972
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4104
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4340
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:3732
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:1808
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4684
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4344
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2740
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4676
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2764
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4200
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2760
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:3572
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4084
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2424
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4168
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:772
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:3844
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2708
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:5076
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4368
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2428
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2172
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2936
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4328
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:4064
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2188
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:816
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:1896
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:4532
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4492
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:4880
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:1224
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2124
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:992
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:2932
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4716
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:2552
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:4088
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  PID:4828
- \??\c:\progra~1\remotehelp36\hdvncrun.exe
  c:\progra~1\remotehelp36\hdvncrun.exe /toolbar
  2⤵
  PID:736
- \??\c:\progra~1\remotehelp36\winvnc.exe
  c:\progra~1\remotehelp36\winvnc.exe
  2⤵
  - Drops file in Program Files directory
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\remotehelp36\HDVNCRun.ini

Filesize
1KB

MD5
fcc82c7c714086efbb4915a3d54580bb

SHA1
ba961c614645dddd9a368281663bb5914077a4e6

SHA256
af5de4fcb29a4de6af4a9b1c89c9b2784cf064bf997a8835dbdb4fb0f9d96758

SHA512
9a7fadbd6a8f393a6a9e7ad3aefee981385f6eea632b8da22a0b3efae300ac6f21bf9d9833ef0bf975eb4d988e8b0f882042fedec47e0570d8892bb7a9e6fea3

Download Submit
C:\Program Files\remotehelp36\winvnc.exe

Filesize
508KB

MD5
3bee39a195f797edebdfef6b31f9aa95

SHA1
4367fc1d8e0db7c1136f0bb89614ac92785ff498

SHA256
587d1afbb8f97894f38b37ea4af66fc754ca5753c2183e2cb058b9e698c9b044

SHA512
9541e88f112d9cf247b6552c6685fbbcf808576c77d707356292481e1aaa7758636935a7f8463681b486b021d97f35dd0e82487bd07f7819c414b23814a04cf6

Download Submit
\??\c:\progra~1\remotehelp36\HDVNCRun.exe

Filesize
160KB

MD5
b51fd23f85bce01f55a41952ef82a471

SHA1
1e5242faa214b8ec94df48d3641db12b67b4c95f

SHA256
8bb928f92f87b5c968daf510d0e0c87563e0d8fa5ddf9a49616b29bf8a0f3c88

SHA512
9d50b552ab6409595d8bb9f86068b38157084541289e0232e2c15d683e801a2d7efc6b2047f73c84bf81c64a62529f9bc60487bb7600fd664e6c0d08ead621cd

Download Submit
\??\c:\progra~1\remotehelp36\HDVNCRun.ini

Filesize
1KB

MD5
943eedac078b526b54a8bc9ac67ecaec

SHA1
b9085fa92033eec66f2bc6db75cb20854d011511

SHA256
3a7791194fcbf94aa64053fa18880f28664dd19fd2f5065853f1ba4b6da067e0

SHA512
ac55bbf2d73fd630e19ecdf0fec6b31bcb16f0f4fdf80702f685bbb11cfa0838d68e28114b67dbfa838e5274031d73333a3eb5a6aa71a1a3af7ea4a25602d517

Download Submit
\??\c:\progra~1\remotehelp36\helpdesk.txt

Filesize
561B

MD5
910f637807b80c8d2ea703bfec574c3e

SHA1
bf49ec0cee0ec23b022cf2da2cbedd24047dda85

SHA256
5b833119aa4230be152872ab82cc19d868b734c0d0d0a74fb83a0ce11127e718

SHA512
8dd5ac8e19c9dcb5f53925b6894b984731c2a4538e5f8af37813f8db3fd74ba1142fe8b246e0c56c436c8e21e19e5f70786c7c687d479567cf3c3aeba4d0b4f7

Download Submit
\??\c:\progra~1\remotehelp36\splash.jpg

Filesize
4KB

MD5
8bd0265e477fac89844f247d509e689f

SHA1
eddb9593721384fdd87954e99754a6206a3b719e

SHA256
47daa0441e35b0113442a27d33707a3ff6ddb7a5d56efa3be31c035e8dfb6d5a

SHA512
c77f19f72202391011acb12941c2f0d65090ea2d87219ee80848a455e05519109c4d013764773017590140a94f3389c0185c2e63d7854bf5eac7f6c181e2db01

Download Submit