Analysis
-
max time kernel
51s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Resource
win10v2004-20220414-en
General
-
Target
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
-
Size
3.2MB
-
MD5
164522c5805de5f7392cf0f81e67914f
-
SHA1
11da4bf6263230b0f740d0f602ee7b9d5bd00800
-
SHA256
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c
-
SHA512
7c3c8dbe99a9f1c4b7e6e06ecd84a209c224ee41490e358b978de90ee0b42d354e8d6bdcb4932d8465b63b500b67c057992de8c2dbf61d7cfce0cfea8e5e05da
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
swreg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe," swreg.exe -
Modifies system executable filetype association 2 TTPs 40 IoCs
Processes:
pev.exeInfDefaultInstall.exePEV.exepev.exepev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe -
Disables RegEdit via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
handle64.exedescription ioc process File created C:\Windows\system32\Drivers\PROCEXP90.SYS handle64.exe -
Executes dropped EXE 64 IoCs
Processes:
iexplore.exeiexplore.exehidec.exepev.exen.pifhidec.exePEV.exehidec.exehidec.exehidec.exehidec.exeSWXCACLS.cfxxeswreg.exeswreg.exen.pifswreg.exeSWREG.exehidec.exeSWREG.exen.pifSWREG.exehidec.exeSWREG.exen.pifn.pifGSAR.cfxxenircmd.cfxxeGSAR.cfxxeswreg.exen.pifnircmd.cfxxecmd.execfn.pifcmd.execfcmd.execfpev.exepev.exepev.exepev.exepev.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxeswreg.exegrep.cfxxegrep.cfxxeswreg.exeswreg.exeswreg.exegrep.cfxxegrep.cfxxepev.exeswreg.exeswreg.exeswreg.exeNircmdB.exepid process 1660 iexplore.exe 1116 iexplore.exe 1992 hidec.exe 1712 pev.exe 1968 n.pif 1556 hidec.exe 1772 PEV.exe 2004 hidec.exe 772 hidec.exe 988 hidec.exe 1920 hidec.exe 1612 SWXCACLS.cfxxe 1900 swreg.exe 108 swreg.exe 1792 n.pif 1244 swreg.exe 1984 SWREG.exe 1776 hidec.exe 1508 SWREG.exe 324 n.pif 848 SWREG.exe 1040 hidec.exe 1108 SWREG.exe 1228 n.pif 560 n.pif 1300 GSAR.cfxxe 2016 nircmd.cfxxe 1592 GSAR.cfxxe 976 swreg.exe 1976 n.pif 2036 nircmd.cfxxe 1340 cmd.execf 1692 n.pif 2044 cmd.execf 1660 cmd.execf 1344 pev.exe 112 pev.exe 1800 pev.exe 968 pev.exe 1656 pev.exe 700 pev.exe 1824 grep.cfxxe 940 grep.cfxxe 812 grep.cfxxe 1888 grep.cfxxe 676 grep.cfxxe 1548 grep.cfxxe 1716 grep.cfxxe 1372 grep.cfxxe 560 swreg.exe 472 grep.cfxxe 936 swreg.exe 1332 grep.cfxxe 1348 grep.cfxxe 1688 swreg.exe 1940 swreg.exe 2016 swreg.exe 1228 grep.cfxxe 1200 grep.cfxxe 1592 pev.exe 2000 swreg.exe 1724 swreg.exe 1100 swreg.exe 484 NircmdB.exe -
Sets file execution options in registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule \32788R22FWJFW\iexplore.exe upx \32788R22FWJFW\iexplore.exe upx C:\32788R22FWJFW\iexplore.exe upx \32788R22FWJFW\iexplore.exe upx C:\32788R22FWJFW\iexplore.exe upx \32788R22FWJFW\n.pif upx \32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx \32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx \32788R22FWJFW\swreg.exe upx \32788R22FWJFW\swreg.exe upx \32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx \32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx \32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx \32788R22FWJFW\NirCmd.cfxxe upx \32788R22FWJFW\NirCmd.cfxxe upx C:\32788R22FWJFW\NirCmd.cfxxe upx C:\32788R22FWJFW\swreg.exe upx -
Loads dropped DLL 64 IoCs
Processes:
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exehidec.exehidec.exehidec.exen.pifnircmd.cfxxen.pifnircmd.cfxxen.pifcmd.execfcmd.execfcmd.execfPV.cfxxepid process 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1992 hidec.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 2004 hidec.exe 772 hidec.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 988 hidec.exe 988 hidec.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 560 n.pif 560 n.pif 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 2016 nircmd.cfxxe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 1976 n.pif 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe 2036 nircmd.cfxxe 1692 n.pif 2044 cmd.execf 2044 cmd.execf 1340 cmd.execf 2044 cmd.execf 1340 cmd.execf 1660 cmd.execf 1340 cmd.execf 1660 cmd.execf 1340 cmd.execf 1660 cmd.execf 1340 cmd.execf 1660 cmd.execf 2044 cmd.execf 1660 cmd.execf 1340 cmd.execf 1340 cmd.execf 1660 cmd.execf 2044 cmd.execf 2044 cmd.execf 2044 cmd.execf 2044 cmd.execf 2044 cmd.execf 2044 cmd.execf 1996 PV.cfxxe 1996 PV.cfxxe 1996 PV.cfxxe 1996 PV.cfxxe 1996 PV.cfxxe 1996 PV.cfxxe 2044 cmd.execf -
Adds Run key to start application 2 TTPs 19 IoCs
Processes:
PEV.exepev.exepev.exepev.exeInfDefaultInstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex PEV.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ InfDefaultInstall.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe -
Drops file in System32 directory 6 IoCs
Processes:
GSAR.cfxxeGSAR.cfxxecmd.execfdescription ioc process File created C:\Windows\SysWOW64\cmd.execf GSAR.cfxxe File opened for modification C:\Windows\SysWOW64\cmd.execf GSAR.cfxxe File created C:\Windows\SysWOW64\swsc.exe cmd.execf File opened for modification C:\Windows\SysWOW64\swsc.exe cmd.execf File created C:\Windows\SysWOW64\CF32019.exe cmd.execf File opened for modification C:\Windows\SysWOW64\CF32019.exe cmd.execf -
Drops file in Windows directory 1 IoCs
Processes:
InfDefaultInstall.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log InfDefaultInstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
pev.exeswreg.exePEV.exepev.exepev.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Console\CodePage = "1252" swreg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor PEV.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" PEV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Key created \REGISTRY\USER\.DEFAULT\Console swreg.exe -
Modifies registry class 64 IoCs
Processes:
InfDefaultInstall.exePEV.exepev.exepev.exepev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pev.exepev.exepev.exepev.exepid process 112 pev.exe 112 pev.exe 112 pev.exe 112 pev.exe 112 pev.exe 1800 pev.exe 1800 pev.exe 1800 pev.exe 1800 pev.exe 1800 pev.exe 1344 pev.exe 1344 pev.exe 1344 pev.exe 1344 pev.exe 1344 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe 1592 pev.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
handle64.exepid process 760 handle64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
pev.exeInfDefaultInstall.exePEV.exeswreg.exeSWXCACLS.cfxxeswreg.exeswreg.exedescription pid process Token: SeDebugPrivilege 1712 pev.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeRestorePrivilege 320 InfDefaultInstall.exe Token: SeDebugPrivilege 1772 PEV.exe Token: SeSecurityPrivilege 1900 swreg.exe Token: SeSecurityPrivilege 1612 SWXCACLS.cfxxe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 1244 swreg.exe Token: SeRestorePrivilege 1244 swreg.exe Token: SeSecurityPrivilege 1244 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe Token: SeSecurityPrivilege 108 swreg.exe Token: SeTakeOwnershipPrivilege 108 swreg.exe Token: SeRestorePrivilege 108 swreg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exen.pifInfDefaultInstall.exerunonce.exehidec.exehidec.exehidec.exedescription pid process target process PID 1068 wrote to memory of 1660 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1660 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1660 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1660 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1116 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1116 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1116 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1116 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1068 wrote to memory of 1992 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1992 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1992 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1992 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1992 wrote to memory of 1712 1992 hidec.exe pev.exe PID 1992 wrote to memory of 1712 1992 hidec.exe pev.exe PID 1992 wrote to memory of 1712 1992 hidec.exe pev.exe PID 1992 wrote to memory of 1712 1992 hidec.exe pev.exe PID 1068 wrote to memory of 1968 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1068 wrote to memory of 1968 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1068 wrote to memory of 1968 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1068 wrote to memory of 1968 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 1968 wrote to memory of 320 1968 n.pif InfDefaultInstall.exe PID 320 wrote to memory of 1520 320 InfDefaultInstall.exe runonce.exe PID 320 wrote to memory of 1520 320 InfDefaultInstall.exe runonce.exe PID 320 wrote to memory of 1520 320 InfDefaultInstall.exe runonce.exe PID 320 wrote to memory of 1520 320 InfDefaultInstall.exe runonce.exe PID 1520 wrote to memory of 1824 1520 runonce.exe grpconv.exe PID 1520 wrote to memory of 1824 1520 runonce.exe grpconv.exe PID 1520 wrote to memory of 1824 1520 runonce.exe grpconv.exe PID 1520 wrote to memory of 1824 1520 runonce.exe grpconv.exe PID 1068 wrote to memory of 1556 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1556 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1556 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1556 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 2004 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 2004 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 2004 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 2004 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1556 wrote to memory of 1772 1556 hidec.exe PEV.exe PID 1556 wrote to memory of 1772 1556 hidec.exe PEV.exe PID 1556 wrote to memory of 1772 1556 hidec.exe PEV.exe PID 1556 wrote to memory of 1772 1556 hidec.exe PEV.exe PID 1068 wrote to memory of 772 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 772 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 772 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 772 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1920 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1920 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1920 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1068 wrote to memory of 1920 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 772 wrote to memory of 108 772 hidec.exe swreg.exe PID 772 wrote to memory of 108 772 hidec.exe swreg.exe PID 772 wrote to memory of 108 772 hidec.exe swreg.exe PID 772 wrote to memory of 108 772 hidec.exe swreg.exe PID 2004 wrote to memory of 1900 2004 hidec.exe swreg.exe PID 2004 wrote to memory of 1900 2004 hidec.exe swreg.exe PID 2004 wrote to memory of 1900 2004 hidec.exe swreg.exe PID 2004 wrote to memory of 1900 2004 hidec.exe swreg.exe PID 1068 wrote to memory of 988 1068 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
PEV.exepev.exepev.exepev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\iexplore.exe"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\iexplore.exe"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\InfDefaultInstall.exe"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\PEV.exe32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\SWXCACLS.cfxxe32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\GSAR.cfxxe32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\nircmd.cfxxe"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\GSAR.cfxxe32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&13⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "6.0.6" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\NircmdB.exeNircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\nircmd.cfxxe"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "6.0.6" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\NircmdB.exeNircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "6.0.6" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -isq "ProductType.*WinNT" WinNT004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pev.exePEV UZIP License\pv_5_2_2.zip .\4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/.*\t(.:\\[^\\]*)$/!d; s//\1/"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\Software\Swearware" /V LastDir /D "C:\"4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/^PATH=/I!d; s///; s/\x22//g" Oripath4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf -s+901 .\OriPath004⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf runonce.exe grpconv.exe procmon.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe4⤵
- Loads dropped DLL
-
C:\32788R22FWJFW\NirCmd.cfxxeNircmd win close class "#32770"4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe }4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKCU\Console_combofixbackup"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 04⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 04⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s//@CHCP.com /" NlsCodePageACP004⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12524⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s///" NlsLanguage004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -isq "09$" NlsLanguageDefault4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY HKLM\Software\Swearware /v combofix_wow4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s/// " CFVersionOld004⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD LOOP 2 80 BEEP 3000 2004⤵
-
C:\32788R22FWJFW\NirCmdC.cfxxeNIRCMDC QBOXCOMTOP "The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE." "" FILLDELETE AbortP4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\Software\Swearware /v combofix_wow /d "09-10-14.09"4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf -md5F33C19A7658BB2B004646C8EC8C9D922 .\md5sum.pif4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -tf --files:files.pif --c:##5#b#f#4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -vs "^!MD5:" mdCheck00.dat4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fvf md5sum.pif mdCheck0a.dat4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/^ (aux|midi|mixer|wave)([1-9] | ).*\\/I!d; s/%systemroot%/C:\\Windows/I" temp004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -F \ temp014⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fi "C:\Windows\system32\userinit.exe" Userinit004⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"4⤵
- Modifies WinLogon for persistence
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Users\\Admin\\AppData\\Local\\Temp\\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET004⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\FINDSTR.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\Windows\SysWOW64\cmd.execfC:\Windows\system32\cmd.execf /S /D /c" ECHO."C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe""4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Eisq "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$"4⤵
-
C:\32788R22FWJFW\ATTRIB.cfxxeATTRIB +R "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -isq "\/cfDebug" sfx.cmd4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP "=.*[a-z]" sfx.cmd4⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE4⤵
-
C:\Windows\SysWOW64\cscript.exeCSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs4⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf CSCRIPT.exe PV.*4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fsf AVBlack resident.txt4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fivf AVWhite resident.txt4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -E "^(AV|SP): .*enabled\* \("4⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf thguard.exe ntvdm.exe teatimer*.exe ad-watch*.exe SZServer.exe StopZilla*.exe userinit.exe procmon.exe txp1atform.exe SonndMan.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
-
C:\32788R22FWJFW\handle.cfxxeHANDLE csrss.exe.mui4⤵
-
C:\32788R22FWJFW\handle64.exeHANDLE csrss.exe.mui5⤵
- Drops file in Drivers directory
- Suspicious behavior: LoadsDriver
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI004⤵
-
C:\32788R22FWJFW\sed.cfxxeSED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" MUI014⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fx "REGEDIT4" Fin.dat4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -ix "FileName=[-[:alnum:]@.]*" FileName4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -ivx ComboFix DirName004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fisqx "23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c" DirName014⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV UZIP "License\streamtools.zip" License4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Eisq "=.\/u.$" sfx.cmd4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c"4⤵
-
C:\32788R22FWJFW\hidec.exeHIDEC "C:\Windows\system32\CF32019.exe" /F:OFF /D /C C:\Start_.cmd4⤵
-
C:\Windows\SysWOW64\CF32019.exe"C:\Windows\system32\CF32019.exe" /F:OFF /D /C C:\Start_.cmd5⤵
-
C:\32788R22FWJFW\ATTRIB.cfxxeATTRIB -H -S "C:\32788R22FWJFW\*"6⤵
-
C:\Windows\SysWOW64\CF32019.exe"C:\Windows\system32\CF32019.exe" /k c.bat6⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\grep.cfxxeGREP -Fqi ".cfxxe;" temp007⤵
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12527⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\NircmdB.exeNircmdB.exe INFOBOX "Incompatible OS. ComboFix only works for Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"7⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\PV.cfxxePV -kf cmd.exe cmd.execf Nircmd.cfxxe6⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD WAIT 20004⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\32788R22FWJFW\NirCmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\Prep.infFilesize
2KB
MD51aa16d0f74468cf739427c823e44f693
SHA1ea83e02989f1427fb0f2f1f5eb23e1e125cd5c78
SHA2568419a839e8e106403e2dc8ae73ef9a627bb894b91a5b39e2ad88e62c9d66dc56
SHA5120a403c320ce88bd7b0dcbfcf71e552d08e070fafefeada050c330f01e50cc542726812026d18b14216be49ca608197630b65f23fc32b89268b8bb86de7c35782
-
C:\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swxcacls.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
C:\32788R22FWJFW\swxcacls.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
C:\Windows\SysWOW64\cmd.execfFilesize
295KB
MD58c1dc5d4fa169af131aefcb6ed77a52d
SHA1817f3b766b2630b8f16d816535d79193f29e20a3
SHA256e4b7858ee885ae247ce3f31d3a3d0939ceb587fa6780e5a0371c58aa7e9c536e
SHA51200668dd92ec73bcedeeb6ce4c5bdb0a5abadbfce2ff600eee6376ff5ceb44eab1033f2e9588b5f4a7de8905d1a6e7032566befb03eaa9d1be0af6542ad59fab0
-
C:\\32788R22FWJFW\EXE.regFilesize
13KB
MD5eea590e05f33b10a4872de498e19b47a
SHA17528ff7e2f6f499d5769f9e716d3b2d123015964
SHA256ad056333abd166c63c9b2db588a07e75b834cbdd4fe7a7815bc253782d97cdcf
SHA5124a017b5c45846d9144fb195205452ccd054c24eaef8d721f6bc7e48b6470fb25e9dd72f87e1d382deda4166158467b887a294e5141de9cf134739113a0ed67ec
-
\32788R22FWJFW\NirCmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\NirCmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
\32788R22FWJFW\swxcacls.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
\32788R22FWJFW\swxcacls.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
memory/108-101-0x0000000000000000-mapping.dmp
-
memory/112-174-0x0000000000000000-mapping.dmp
-
memory/112-176-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/320-79-0x0000000000000000-mapping.dmp
-
memory/324-130-0x0000000000000000-mapping.dmp
-
memory/472-195-0x0000000000000000-mapping.dmp
-
memory/560-192-0x0000000000000000-mapping.dmp
-
memory/560-145-0x0000000000000000-mapping.dmp
-
memory/676-189-0x0000000000000000-mapping.dmp
-
memory/700-186-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/700-183-0x0000000000000000-mapping.dmp
-
memory/772-94-0x0000000000000000-mapping.dmp
-
memory/812-187-0x0000000000000000-mapping.dmp
-
memory/848-133-0x0000000000000000-mapping.dmp
-
memory/936-194-0x0000000000000000-mapping.dmp
-
memory/940-185-0x0000000000000000-mapping.dmp
-
memory/968-178-0x0000000000000000-mapping.dmp
-
memory/968-180-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/976-161-0x0000000000000000-mapping.dmp
-
memory/988-104-0x0000000000000000-mapping.dmp
-
memory/1040-136-0x0000000000000000-mapping.dmp
-
memory/1068-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1108-214-0x00000000003D0000-0x0000000000494000-memory.dmpFilesize
784KB
-
memory/1108-140-0x0000000000000000-mapping.dmp
-
memory/1116-60-0x0000000000000000-mapping.dmp
-
memory/1180-217-0x0000000000BD0000-0x0000000000C94000-memory.dmpFilesize
784KB
-
memory/1200-202-0x0000000000000000-mapping.dmp
-
memory/1228-139-0x0000000000000000-mapping.dmp
-
memory/1228-201-0x0000000000000000-mapping.dmp
-
memory/1244-115-0x0000000000000000-mapping.dmp
-
memory/1300-151-0x0000000000000000-mapping.dmp
-
memory/1332-196-0x0000000000000000-mapping.dmp
-
memory/1340-168-0x0000000000000000-mapping.dmp
-
memory/1344-173-0x0000000000000000-mapping.dmp
-
memory/1344-179-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/1348-197-0x0000000000000000-mapping.dmp
-
memory/1372-213-0x0000000000250000-0x0000000000314000-memory.dmpFilesize
784KB
-
memory/1372-193-0x0000000000000000-mapping.dmp
-
memory/1508-127-0x0000000000000000-mapping.dmp
-
memory/1520-81-0x0000000000000000-mapping.dmp
-
memory/1548-190-0x0000000000000000-mapping.dmp
-
memory/1556-86-0x0000000000000000-mapping.dmp
-
memory/1592-203-0x0000000000000000-mapping.dmp
-
memory/1592-159-0x0000000000000000-mapping.dmp
-
memory/1592-207-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/1612-111-0x0000000000000000-mapping.dmp
-
memory/1612-208-0x00000000001F0000-0x00000000002B4000-memory.dmpFilesize
784KB
-
memory/1656-181-0x0000000000000000-mapping.dmp
-
memory/1656-184-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/1660-171-0x0000000000000000-mapping.dmp
-
memory/1660-57-0x0000000000000000-mapping.dmp
-
memory/1688-198-0x0000000000000000-mapping.dmp
-
memory/1692-169-0x0000000000000000-mapping.dmp
-
memory/1712-77-0x0000000000E70000-0x0000000000F34000-memory.dmpFilesize
784KB
-
memory/1712-70-0x0000000000000000-mapping.dmp
-
memory/1716-191-0x0000000000000000-mapping.dmp
-
memory/1772-90-0x0000000000000000-mapping.dmp
-
memory/1772-116-0x00000000003F0000-0x00000000004B4000-memory.dmpFilesize
784KB
-
memory/1776-125-0x0000000000000000-mapping.dmp
-
memory/1792-106-0x0000000000000000-mapping.dmp
-
memory/1800-177-0x0000000001370000-0x0000000001434000-memory.dmpFilesize
784KB
-
memory/1800-175-0x0000000000000000-mapping.dmp
-
memory/1824-83-0x0000000000000000-mapping.dmp
-
memory/1824-182-0x0000000000000000-mapping.dmp
-
memory/1840-210-0x0000000001350000-0x0000000001414000-memory.dmpFilesize
784KB
-
memory/1888-188-0x0000000000000000-mapping.dmp
-
memory/1900-102-0x0000000000000000-mapping.dmp
-
memory/1920-97-0x0000000000000000-mapping.dmp
-
memory/1940-199-0x0000000000000000-mapping.dmp
-
memory/1968-74-0x0000000000000000-mapping.dmp
-
memory/1976-164-0x0000000000000000-mapping.dmp
-
memory/1984-121-0x0000000000000000-mapping.dmp
-
memory/1992-66-0x0000000000000000-mapping.dmp
-
memory/2000-204-0x0000000000000000-mapping.dmp
-
memory/2004-89-0x0000000000000000-mapping.dmp
-
memory/2016-155-0x0000000000000000-mapping.dmp
-
memory/2016-200-0x0000000000000000-mapping.dmp
-
memory/2036-166-0x0000000000000000-mapping.dmp
-
memory/2044-172-0x0000000000000000-mapping.dmp