IOC Report
vm-uw.exe

loading gif

Files

File Path
Type
Category
Malicious
vm-uw.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Windows\Fonts\systkm32\csrss.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
malicious
C:\Windows\Fonts\systkm32\vv.bat
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat
ASCII text, with no line terminators
modified
C:\Windows\Fonts\systkm32\1.ini
ASCII text, with CRLF line terminators
dropped
C:\Windows\Fonts\systkm32\svchost.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\vm-uw.exe
"C:\Users\user\Desktop\vm-uw.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" "
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat"
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
malicious
C:\Windows\Fonts\systkm32\csrss.exe
C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
malicious
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f
malicious
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f
malicious
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters
malicious
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f
malicious
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
malicious
C:\Windows\Fonts\systkm32\svchost.exe
C:\Windows\Fonts\systkm32\svchost.exe
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\mode.com
mode con: cols=16 lines=2
C:\Windows\SysWOW64\sc.exe
sc start WMPNetworkSxc
C:\Windows\SysWOW64\regini.exe
regini 1.ini
There are 11 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://haozip.2345.cc/
unknown

IPs

IP
Domain
Country
Malicious
127.0.0.1
unknown
unknown
malicious

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc
Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc
DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc\Parameters
NULL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc\Parameters
AppDirectory

Memdumps

Base Address
Regiontype
Protect
Malicious
FF9000
heap
page read and write
800000
heap
page read and write
2B1F000
stack
page read and write
279E000
stack
page read and write
2AF0000
heap
page read and write