Malware Analysis Report

2024-11-16 12:27

Sample ID 240313-ktfxaabb32
Target winact.bat
SHA256 6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90

Threat Level: Likely malicious

The file winact.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Drops file in Windows directory

Launches sc.exe

Checks processor information in registry

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Runs net.exe

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 08:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 08:53

Reported

2024-03-13 08:56

Platform

win10v2004-20240226-en

Max time kernel

172s

Max time network

174s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\Clipup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\Clipup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\Clipup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\system32\reg.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2768 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2768 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2768 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2208 wrote to memory of 3472 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2208 wrote to memory of 3472 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2768 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2768 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3668 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3668 wrote to memory of 1156 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2768 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2768 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2768 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2768 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2768 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2768 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2768 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2228 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2768 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4772 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 4772 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2768 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2768 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2768 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2768 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2768 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2768 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2768 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2680 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2768 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2768 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2768 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 3668 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\sppsvc.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /T

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\spp /grant administrators:F /T

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl

C:\Windows\system32\net.exe

net stop sppsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sppsvc

C:\Windows\system32\net.exe

net start sppsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start sppsvc

C:\Windows\system32\cscript.exe

cscript.exe C:\Windows\System32\slmgr.vbs /rilc

C:\Windows\system32\timeout.exe

timeout /T 3 /NOBREAK

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\reg.exe

reg query HKU\S-1-5-19

C:\Windows\system32\mode.com

mode con: cols=102 lines=31

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingService" "Version"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingService" "Version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "Caption"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "Caption"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL" "Name"

C:\Windows\system32\findstr.exe

findstr /i "Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Microsoft Windows 10 Pro"

C:\Windows\system32\findstr.exe

findstr /I Evaluation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "OperatingSystemSKU"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "OperatingSystemSKU"

C:\Windows\system32\reg.exe

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"

C:\Windows\system32\find.exe

find /i "x86"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "osarchitecture"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "osarchitecture"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo 64-bit "

C:\Windows\system32\find.exe

find /i "ARM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo AMD64 "

C:\Windows\system32\find.exe

find /i "ARM"

C:\Windows\system32\PING.EXE

ping -n 1 www.microsoft.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc query ClipSVC

C:\Windows\system32\sc.exe

sc query ClipSVC

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc qc ClipSVC

C:\Windows\system32\sc.exe

sc qc ClipSVC

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc query wlidsvc

C:\Windows\system32\sc.exe

sc query wlidsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc qc wlidsvc

C:\Windows\system32\sc.exe

sc qc wlidsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc query sppsvc

C:\Windows\system32\sc.exe

sc query sppsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc qc sppsvc

C:\Windows\system32\sc.exe

sc qc sppsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc query wuauserv

C:\Windows\system32\sc.exe

sc query wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc qc wuauserv

C:\Windows\system32\sc.exe

sc qc wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell write-host '"Checking wuauserv [Service Status -Running] [Startup Type -Demand]"' -fore '"white"' -back '"darkgray"'

C:\Windows\system32\sc.exe

sc config wuauserv start= Auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"

C:\Windows\system32\findstr.exe

findstr /i MAK

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"

C:\Windows\system32\findstr.exe

findstr /i OEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"

C:\Windows\system32\findstr.exe

findstr /i Retail

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmip.vbs" "VK7JG-NPHTM-C97JM-9MPGT-3V66T"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmim.vbs" "SoftwareLicensingService.Version='10.0.19041.1266'" "RefreshLicenseStatus"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\winact.bat') -split ':bat2file\:.*';iex ($f[1]);X 3;X 4;"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3104.tmp" "c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\CSC3C80E4A6DFD9420FB0BD1A55E5376E4.TMP"

C:\Windows\system32\expand.exe

"C:\Windows\system32\expand.exe" -R 3._ -F:* .

C:\Windows\system32\expand.exe

"C:\Windows\system32\expand.exe" -R 4._ -F:* .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\gatherosstate.exe').Hash"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\gatherosstate.exe').Hash"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\slc.dll').Hash"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\slc.dll').Hash"

C:\Windows\system32\rundll32.exe

rundll32 "C:\Windows\Temp\_Ticket_Work\slc.dll",PatchGatherosstate

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Windows\Temp\_Ticket_Work\slc.dll",PatchGatherosstate

C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe

"C:\Windows\Temp\_Ticket_Work/gatherosstatemodified.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Restart-Service ClipSVC

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o

C:\Windows\system32\Clipup.exe

"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem5313.tmp

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ID"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ID"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmim.vbs" "SoftwareLicensingProduct.ID=" "Activate"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL" "Name"

C:\Windows\system32\findstr.exe

findstr /i "Windows"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell write-host '"Microsoft Windows 10 Pro is permanently activated."' -fore '"white"' -back '"DarkGreen"'

C:\Windows\system32\sc.exe

sc config wuauserv start= Demand

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell write-host '"Cleaning Temp Files [Unsuccessful]"' -fore '"white"' -back '"DarkRed"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3436-0-0x000002473E050000-0x000002473E072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kz5uaidz.lq1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3436-10-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

memory/3436-12-0x0000024723C10000-0x0000024723C20000-memory.dmp

memory/3436-11-0x0000024723C10000-0x0000024723C20000-memory.dmp

memory/3436-13-0x0000024723C10000-0x0000024723C20000-memory.dmp

memory/3436-16-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8fe7bd6cd1d64bcdabbf2e2ae72c5a28
SHA1 5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de
SHA256 5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8
SHA512 658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

memory/4824-18-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

memory/4824-24-0x000001AE5E670000-0x000001AE5E680000-memory.dmp

memory/4824-29-0x000001AE5E670000-0x000001AE5E680000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93cb857535495189bb6a362f685bdee0
SHA1 30489532d9c79c96faefe978e4a4f07d4cf02a7d
SHA256 56206d9139019fb2adf82b82197b5b9e417d9b00016beb01be6b99dcb1bfa0ea
SHA512 ab6980d63ca944711b7bbccdb83a82233980578cb54f3d9ea699ebed36126c78c02106275c60ba88f7cd720f93021533e9d024216c50facfe2ab2fa979251811

memory/4824-32-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

memory/2892-33-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

memory/2892-43-0x000001AA0D2F0000-0x000001AA0D300000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5c1d544037a6215c80133de5e46db0e
SHA1 dbb945947d69450c0f05d69f66f9c527641ab32f
SHA256 2a5a22e8e4c1e8dc0438c915f8d589e7ecc3d836d6890203747bdf902538e512
SHA512 dab62558ba0ea46555794a3f419aac1cfe82ebec9c3cfd36c47a06e69e5e4dbc2f1da3eb3ca139eafa22255200f1ad1b65cb0001ccd0ff933458fb6e564cb0fb

memory/2892-46-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp

memory/4892-47-0x00007FFA34A50000-0x00007FFA35511000-memory.dmp

memory/4892-48-0x00000206015C0000-0x00000206015D0000-memory.dmp

memory/4892-54-0x00000206015C0000-0x00000206015D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2eaeeb3cd489fd6be3b2a6479c91981
SHA1 a5103719cd26c8d689d36a6bed16275b2460ba0b
SHA256 e57a1daf9ca3c2fd5d1941ac6126113bfdbeba50ab316513974d84db419f9829
SHA512 f0cb230812434933aee6918fa261c6e19504a46bb1792ce56117579f8a1db0f72faba42e66064d34e18241cb41321c32e20af5258233575616b688b59e1279e6

memory/4892-61-0x00007FFA34A50000-0x00007FFA35511000-memory.dmp

memory/1376-63-0x0000029C73950000-0x0000029C73960000-memory.dmp

memory/1376-62-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp

memory/1376-66-0x0000029C73950000-0x0000029C73960000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f61633e2e747fc15903069b35f4f5fa1
SHA1 6f0eeb79bd1421cbb30284389b735cfe2cc1252f
SHA256 b1fa182f636ef2b2aa0fc5642607d13c5690414ecfff40ae8d80077bfd887b56
SHA512 3cfe02bdd85a599d6a31792d2da787132dbdfd25f6d5e3ce4e9399dc79b17bb912699865b3e1287902a02351b3c2cb9feb0755ad3d410a4053672434153fba74

memory/1376-75-0x0000029C73950000-0x0000029C73960000-memory.dmp

memory/1376-76-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp

memory/1376-77-0x0000029C73950000-0x0000029C73960000-memory.dmp

memory/1376-78-0x0000029C73950000-0x0000029C73960000-memory.dmp

memory/1376-79-0x0000029C73950000-0x0000029C73960000-memory.dmp

memory/1376-81-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp

memory/3452-82-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp

memory/3452-92-0x0000013153430000-0x0000013153440000-memory.dmp

memory/3452-93-0x0000013153430000-0x0000013153440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 781ee7133f8c815cf6936a58a6ec7a00
SHA1 bcb7a46f0900c564afc9e81d2a865b2fb163559a
SHA256 fb410c61a4c32ecff9fe1829baa42e216c482cc3b36c049b15454d6a766422ae
SHA512 116d22cfec167e4d8367e765fb6a9f191096001556deedc08f06afb29a0b0052bcc5658a637ddf5d3dcf1cdd24a8a0a810accf97611c79d4c4c116cd6e1aca2c

memory/3452-95-0x0000013153430000-0x0000013153440000-memory.dmp

memory/3452-97-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmi.vbs

MD5 771337df46923fa7608ae2f39295bd5d
SHA1 0ed8a167620d1b0c34fc4dc8f08e3f533c519a5a
SHA256 62d3f93457147d95c4caeacb9c9ec567ded6056b82e775184b6066d0d3ad767f
SHA512 972a411b1f27266be063995165c3867d4fdb1ef8fdc7355197c71a48cbdc9c8b9ff6e5a88782587f5be0c01e0a6422d36dc283174586d980313f9e18e211f0a1

memory/2064-103-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/2064-109-0x0000021CFD540000-0x0000021CFD550000-memory.dmp

memory/2064-110-0x0000021CFD540000-0x0000021CFD550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d62de053bc592694c6218379a9b3d2af
SHA1 3bcbcfa507268b2a91391e7b9904dfddfa440bfa
SHA256 f8eeab49b57a3ea567bc6bfb882c27bc37abf92640de04e15dfee828fca92a79
SHA512 c7b15e8525bbeb5036452c70d1474cc23576ea94845d7b64061042ebea0fdc91a1a892d1c3726f06c13e561310f79fc6811509fe7eace00e09bd5a3f857b7e4a

memory/2064-117-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmip.vbs

MD5 4287da015add322dfcaf9c978bcf06c8
SHA1 0d9036dbabcbbffc3bfa10c46c107304e84b1b20
SHA256 7d2c4a6096a0cef596d649a6ab463def13e50c8ba0c19f2da4fa559574566a58
SHA512 464abbb1f7d3379f98360d22dc0674672bf28c75fe1a4978bcbc51e66a51a27cc0c131a932eb495a1679d6e7b2127ad1c772f870dc4c174ed3be545dbcd29b88

C:\Users\Admin\AppData\Local\Temp\wmim.vbs

MD5 255c26473b0140bff98d7be7488040c5
SHA1 3ec7265b2239e898d43969c5a36d673815a25585
SHA256 ef903da9c5fb4742c7764000532994d94aade900c2e825f161d9bae371842c3e
SHA512 fff5041bb4d06460455c5fcfae3e147384b981c9630e23a1387473cddd5091d386b80f77aa0b34f374aaa809dfd515262950a59faa045503612a18fa8a7b161b

memory/3572-126-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/3572-132-0x000001F359880000-0x000001F359890000-memory.dmp

memory/3572-133-0x000001F359880000-0x000001F359890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe68a34c09b376ff0c822f2809627238
SHA1 fb7b7772e77980c40397054ea7ddc88dc80a9cfe
SHA256 9c6c69f1519015cfd4360e6bc2993b91ff9a7c35889c3ae5910dd62dbc915c79
SHA512 5bab3d1ed72137ba700c119b572cf92f8ed129d38aed396fb52f279a88a92b6fa3cee85f9f5d314f6881bdc5afdcb4ede74e907f60f799a9c5852b9b929c0654

memory/3572-130-0x000001F359880000-0x000001F359890000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.cmdline

MD5 076108d5b6a793aceaf3590c9b68924d
SHA1 6539783faf77abed4a1884beb034f2f972a8faa8
SHA256 baa1091312dafa9bf1c37bffb3c5c5ef265dad5d4dde224caff5cb407baeb39b
SHA512 ebbf4e5d72833b3ce9f153636acc787a78c54fad108a28e931d1a1cb42f8220c6d0576c20129c87d97926f5fe2ba38a6f583ac88b8712fa9235ad3681bc6000f

\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.0.cs

MD5 758ba880ad959901cbefedbc761b695c
SHA1 0adb761216512a736ccacd8271d1170f5a961ab8
SHA256 bd8acacc9694725260536c846fe639b2c10ecf3b4f4c2f21c7738de4135af5fd
SHA512 fdefe9abed4d0340c26e2dd41589738429c8dea8a5f0c28c8244f82df7085cb70115bc8c37bfda4389de0811b74cd0cfc779ecde7e30a86aaac79c710d05f2e7

\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\CSC3C80E4A6DFD9420FB0BD1A55E5376E4.TMP

MD5 4ecb84eb845deefc0ddd4c95b0c8fdbe
SHA1 80e2cc9e3da5ec14ee74ea5b2152e2710648978c
SHA256 8bd97388c41550f3bb407e1e1d2523afba5697084ca87139d2a777137144064d
SHA512 797973b22d1f23b8f44c5e697fd0b7511c1bf6c9cd4e55e30e8be4ae9b84350aea455858723429a3e4fc731fcbc8efbed5b2d8869bc9e33802dac21a01a40b08

C:\Users\Admin\AppData\Local\Temp\RES3104.tmp

MD5 3b203d347257baee898c8b4eafb2d496
SHA1 c3ec331a9f2b85d112ca03175f39a4511efc83c4
SHA256 91fe24a6090c5312327dc88a44d61a0f516144018e195b1d6f02677f3a40b630
SHA512 99867b1055983a5950da40c8c5071b581671caff9403b58763c22f88da60fd4fd520fc208f8c773397a592166d5abaadf6757d0e946f618b487af48071330eab

memory/3572-146-0x000001F3413B0000-0x000001F3413B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.dll

MD5 fba03b29f70e3d19cf3482707ce2b9d4
SHA1 2f9c4ef5c2a3972a2ca4f7c7ef43a8b33fed7d0b
SHA256 f594dd0e4b8fa5db949daf0d1e8bc2549ae75c0f1fc7983c5bc5494a1fc4a90d
SHA512 c76ac267a0f0edec015ef01e4dfaf5ab451c0b5ae55134ff70fc35111634e92f721d48b49cdf992565c68f46f53559bd0905c15f43df721e08457afc1150b7cc

C:\Windows\Temp\_Ticket_Work\3._

MD5 bb9c06f9c67317b6e401eacd6b4d8e02
SHA1 3cab4bcfda6c6c11e7695c7f71aeb12a259d97d7
SHA256 f1bcffaa498e3ccb633d8d473449a8bc2630034ac46b6f52f5cce3a493ac4b6c
SHA512 13865780bf65545b0f5e5e3b7b4b8d26b54b21bed5dfbcd3013ce45c07fc473f80a497e429cee053819d00e801fe717cffdc29d0d44bf70541f1ca9a84b6e3a6

C:\Windows\Temp\_Ticket_Work\4._

MD5 5e6326fea7bfda62ab68585bf2fc09f1
SHA1 ecb7cb45eed1df63491b2494c23cc8897504d00f
SHA256 077144a55891a75daf97c0fa26dcee1939ba02fd6a71707d4010b22bfdf447b3
SHA512 eb0c15bec3a9753d399a938b2c0c7feaac3ab567ecf95e6ec82540d2bbaf69a12bfbd271c67e388a1a50708ff3ce30d0e22d8ac357159d8d07d6979abd9e162b

C:\Windows\LOGS\DPX\setupact.log

MD5 4327f20030449da42e6e753c4978e9a1
SHA1 4c01d5633dfee2a6a09199c5cf3d0a103d01e0ea
SHA256 930cbf96fbbbe3141642c1377fe6b44685defe4e5bc3bbc85ddd123004d0e2e5
SHA512 e3694df3e37bf7e87988f1245caa4942f0a4f12294fd81704a0c86607e66a9c9c41f8293c9e16c91ce47715589108989bd27efe5edb5089f260ccb0d905dff51

memory/3572-162-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/3884-163-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b2c0bab2ba90319d1d1b04be2fd781f
SHA1 9c700fa0ee86732f119a038facb26052a70ee73a
SHA256 1c46c61990e1d8e3e84683f0e6748c87978d48ff26ff7279e47564f57bd43055
SHA512 63e1290d40eae2af5ed93175bed9e019e03cd4796d559be50f66739914ad453e2f58f4c2a12be4fc0f8f4c52e9ce5eabcc62002222e34e17d2e0ae8e9fac90d1

memory/3884-175-0x00000128693B0000-0x00000128693C0000-memory.dmp

memory/3884-169-0x00000128693B0000-0x00000128693C0000-memory.dmp

C:\Windows\Temp\_Ticket_Work\gatherosstate.exe

MD5 15ce0753a16dd4f9b9f0f9926dd37c4e
SHA1 fabb5a0fc1e6a372219711152291339af36ed0b5
SHA256 028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
SHA512 4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

memory/3884-178-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/2672-184-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/2672-190-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp

memory/2672-185-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 def7884bfec63bbb926d51438b7439c2
SHA1 48f7438447cc4b0e6e44735dc17a2659380218fd
SHA256 d4951ddfe54394c89d24be1f17576dceefdcc97b905f33fae7bf1caeba2d92f9
SHA512 22c529d29befd1b070cb5cdb9c1194ba162035756f7b9d25d4c73537dd286c483fd4a4770b920d58a9536cfc64a5e9bff88f5f46bf1d2cc5bf5ab25005aacfb1

memory/2672-192-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp

C:\Windows\Temp\_Ticket_Work\slc.dll

MD5 b21c40aaf16ba46b2732618d089db3a4
SHA1 ca3a51fdfc8749b8be85f7904b1c238a6dfba135
SHA256 9395a37c42e83568dc5ecb25d9e9fca4c6c1c4f47e336fb6ccae62df5c696b4d
SHA512 3e6d4413edfdf2acaf357fba3269913bcfb031848723b64186ed5bbec056030fc385843094bbca5a8377b218c9cdb0bee803ef9be61ed0aef648454bfd1ffad3

memory/2672-195-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe

MD5 f01b9f4e4feb1c2aa510d3010e46e611
SHA1 6b1ca1ed81ec178e65872b72e0dd2009f82bace7
SHA256 a489a44cb48866f3c78c913c5e42bc0bab4283ecaf36e3f2e1568e0a0477873a
SHA512 274183e01a51a9bb3b619163496108f89c454ecb1258fba359dafb9df89369021863098e7f92e73f8da433c97d65293b0f406e405bf4ee3fc199932587109cb2

memory/728-205-0x0000000064B40000-0x0000000064B46000-memory.dmp

C:\Windows\Temp\_Ticket_Work\GenuineTicket.xml

MD5 911aa9298d4857a1ea93209bed86732d
SHA1 3367397797a35ec781bfc7a477cf32be2463d7d5
SHA256 d5331721fd20fd64dd73f124dca23f5e32244120cf5814ee20cf2316d631f1ef
SHA512 5f7ac1fcb08ebdc8cacc61c3bd7ebfb5dd0ada997e45d08c1e8424eca2ab1356781c0d62528ea0349894ad113dd13ed9163310e8cc4b42e86540fadd4deb9f4a

memory/4368-209-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/4368-215-0x0000021A78430000-0x0000021A78440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 78bcc4937be217a0ff2e2b45223918b5
SHA1 efcc6f96c244701457bada016820bb7801016c8d
SHA256 6532ffb7def1df398fdd3dddfb5e5f9416f18888148146d67a7980cb88d58f81
SHA512 509f35cbf223a768e338b986a8a1613dbc292483476e6ca990987f579f7b420cd1d2350a11422a41ba6805750f9de48a24bd25dc3edfb2918fa64db0f4ffdd4c

memory/4368-221-0x0000021A78430000-0x0000021A78440000-memory.dmp

memory/1532-224-0x000002BC217C0000-0x000002BC217D0000-memory.dmp

memory/4368-223-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/1532-226-0x000002BC217C0000-0x000002BC217D0000-memory.dmp

memory/1532-225-0x000002BC217C0000-0x000002BC217D0000-memory.dmp

memory/2204-229-0x0000027E99210000-0x0000027E99220000-memory.dmp

memory/2204-230-0x0000027E99210000-0x0000027E99220000-memory.dmp

memory/2204-227-0x0000027E99210000-0x0000027E99220000-memory.dmp

memory/2204-232-0x0000027E993D0000-0x0000027E993E0000-memory.dmp

C:\Windows\TEMP\tem5313.tmp

MD5 b13af738aa8be55154b2752979d76827
SHA1 64a5f927720af02a367c105c65c1f5da639b7a93
SHA256 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b
SHA512 cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

memory/1532-239-0x000002BC217C0000-0x000002BC217D0000-memory.dmp

memory/1532-238-0x000002BC217C0000-0x000002BC217D0000-memory.dmp

memory/2204-236-0x0000027E99210000-0x0000027E99220000-memory.dmp

memory/2204-235-0x0000027E99210000-0x0000027E99220000-memory.dmp

memory/3792-240-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp

memory/3792-250-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp

memory/3792-251-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02d34e98497db1b20a085ae33218c2bf
SHA1 e30a40961562c97bd70ddd5924184791b05a0e06
SHA256 f85569a795a1c6409cf561333133667272b1b49085c30cc7b7a7d9f4cb5e23b1
SHA512 a31444e4dda7b3650ae19b55e694e39c87e60fb9f53d4b5027d8c06157cee821f7e523762ad283a1bf220bd34ebe554d2660f83fae9c64c0e5c9d2bc450174a7

memory/3792-253-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1dffbab5ecc6d06e8b259ad505a0dc2a
SHA1 0938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256 a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA512 93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76