23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c

Analysis

max time kernel
51s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Size

3.2MB
MD5

164522c5805de5f7392cf0f81e67914f
SHA1

11da4bf6263230b0f740d0f602ee7b9d5bd00800
SHA256

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c
SHA512

7c3c8dbe99a9f1c4b7e6e06ecd84a209c224ee41490e358b978de90ee0b42d354e8d6bdcb4932d8465b63b500b67c057992de8c2dbf61d7cfce0cfea8e5e05da

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

swreg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	swreg.exe

Modifies system executable filetype association 2 TTPs 40 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

pev.exeInfDefaultInstall.exePEV.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe

Disables RegEdit via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

handle64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP90.SYS handle64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP90.SYS	handle64.exe

Executes dropped EXE 64 IoCs

Processes:

iexplore.exeiexplore.exehidec.exepev.exen.pifhidec.exePEV.exehidec.exehidec.exehidec.exehidec.exeSWXCACLS.cfxxeswreg.exeswreg.exen.pifswreg.exeSWREG.exehidec.exeSWREG.exen.pifSWREG.exehidec.exeSWREG.exen.pifn.pifGSAR.cfxxenircmd.cfxxeGSAR.cfxxeswreg.exen.pifnircmd.cfxxecmd.execfn.pifcmd.execfcmd.execfpev.exepev.exepev.exepev.exepev.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxeswreg.exegrep.cfxxegrep.cfxxeswreg.exeswreg.exeswreg.exegrep.cfxxegrep.cfxxepev.exeswreg.exeswreg.exeswreg.exeNircmdB.exe

pid	process
1660	iexplore.exe
1116	iexplore.exe
1992	hidec.exe
1712	pev.exe
1968	n.pif
1556	hidec.exe
1772	PEV.exe
2004	hidec.exe
772	hidec.exe
988	hidec.exe
1920	hidec.exe
1612	SWXCACLS.cfxxe
1900	swreg.exe
108	swreg.exe
1792	n.pif
1244	swreg.exe
1984	SWREG.exe
1776	hidec.exe
1508	SWREG.exe
324	n.pif
848	SWREG.exe
1040	hidec.exe
1108	SWREG.exe
1228	n.pif
560	n.pif
1300	GSAR.cfxxe
2016	nircmd.cfxxe
1592	GSAR.cfxxe
976	swreg.exe
1976	n.pif
2036	nircmd.cfxxe
1340	cmd.execf
1692	n.pif
2044	cmd.execf
1660	cmd.execf
1344	pev.exe
112	pev.exe
1800	pev.exe
968	pev.exe
1656	pev.exe
700	pev.exe
1824	grep.cfxxe
940	grep.cfxxe
812	grep.cfxxe
1888	grep.cfxxe
676	grep.cfxxe
1548	grep.cfxxe
1716	grep.cfxxe
1372	grep.cfxxe
560	swreg.exe
472	grep.cfxxe
936	swreg.exe
1332	grep.cfxxe
1348	grep.cfxxe
1688	swreg.exe
1940	swreg.exe
2016	swreg.exe
1228	grep.cfxxe
1200	grep.cfxxe
1592	pev.exe
2000	swreg.exe
1724	swreg.exe
1100	swreg.exe
484	NircmdB.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\32788R22FWJFW\iexplore.exe	upx
\32788R22FWJFW\iexplore.exe	upx
C:\32788R22FWJFW\iexplore.exe	upx
\32788R22FWJFW\iexplore.exe	upx
C:\32788R22FWJFW\iexplore.exe	upx
\32788R22FWJFW\n.pif	upx
\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
\32788R22FWJFW\NirCmd.cfxxe	upx
\32788R22FWJFW\NirCmd.cfxxe	upx
C:\32788R22FWJFW\NirCmd.cfxxe	upx
C:\32788R22FWJFW\swreg.exe	upx

Loads dropped DLL 64 IoCs

Processes:

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exehidec.exehidec.exehidec.exen.pifnircmd.cfxxen.pifnircmd.cfxxen.pifcmd.execfcmd.execfcmd.execfPV.cfxxe

pid	process
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1992	hidec.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
2004	hidec.exe
772	hidec.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
988	hidec.exe
988	hidec.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
560	n.pif
560	n.pif
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
2016	nircmd.cfxxe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
1976	n.pif
1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
2036	nircmd.cfxxe
1692	n.pif
2044	cmd.execf
2044	cmd.execf
1340	cmd.execf
2044	cmd.execf
1340	cmd.execf
1660	cmd.execf
1340	cmd.execf
1660	cmd.execf
1340	cmd.execf
1660	cmd.execf
1340	cmd.execf
1660	cmd.execf
2044	cmd.execf
1660	cmd.execf
1340	cmd.execf
1340	cmd.execf
1660	cmd.execf
2044	cmd.execf
2044	cmd.execf
2044	cmd.execf
2044	cmd.execf
2044	cmd.execf
2044	cmd.execf
1996	PV.cfxxe
1996	PV.cfxxe
1996	PV.cfxxe
1996	PV.cfxxe
1996	PV.cfxxe
1996	PV.cfxxe
2044	cmd.execf

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PEV.exepev.exepev.exepev.exeInfDefaultInstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\	InfDefaultInstall.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe

Drops file in System32 directory 6 IoCs

Processes:

GSAR.cfxxeGSAR.cfxxecmd.execf

description	ioc	process
File created	C:\Windows\SysWOW64\cmd.execf	GSAR.cfxxe
File opened for modification	C:\Windows\SysWOW64\cmd.execf	GSAR.cfxxe
File created	C:\Windows\SysWOW64\swsc.exe	cmd.execf
File opened for modification	C:\Windows\SysWOW64\swsc.exe	cmd.execf
File created	C:\Windows\SysWOW64\CF32019.exe	cmd.execf
File opened for modification	C:\Windows\SysWOW64\CF32019.exe	cmd.execf

Drops file in Windows directory 1 IoCs

Processes:

InfDefaultInstall.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log InfDefaultInstall.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	InfDefaultInstall.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

pev.exeswreg.exePEV.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "1252"	swreg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	PEV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1"	PEV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	swreg.exe

Modifies registry class 64 IoCs

Processes:

InfDefaultInstall.exePEV.exepev.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	pev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pev.exepev.exepev.exepev.exe

pid	process
112	pev.exe
112	pev.exe
112	pev.exe
112	pev.exe
112	pev.exe
1800	pev.exe
1800	pev.exe
1800	pev.exe
1800	pev.exe
1800	pev.exe
1344	pev.exe
1344	pev.exe
1344	pev.exe
1344	pev.exe
1344	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe
1592	pev.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

handle64.exe

pid process

760 handle64.exe

pid	process
760	handle64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pev.exeInfDefaultInstall.exePEV.exeswreg.exeSWXCACLS.cfxxeswreg.exeswreg.exe

description	pid	process
Token: SeDebugPrivilege	1712	pev.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeRestorePrivilege	320	InfDefaultInstall.exe
Token: SeDebugPrivilege	1772	PEV.exe
Token: SeSecurityPrivilege	1900	swreg.exe
Token: SeSecurityPrivilege	1612	SWXCACLS.cfxxe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	1244	swreg.exe
Token: SeRestorePrivilege	1244	swreg.exe
Token: SeSecurityPrivilege	1244	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe
Token: SeSecurityPrivilege	108	swreg.exe
Token: SeTakeOwnershipPrivilege	108	swreg.exe
Token: SeRestorePrivilege	108	swreg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exen.pifInfDefaultInstall.exerunonce.exehidec.exehidec.exehidec.exe

description	pid	process	target process
PID 1068 wrote to memory of 1660	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1660	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1660	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1660	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1116	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1116	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1116	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1116	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1068 wrote to memory of 1992	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1992	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1992	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1992	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1992 wrote to memory of 1712	1992	hidec.exe	pev.exe
PID 1992 wrote to memory of 1712	1992	hidec.exe	pev.exe
PID 1992 wrote to memory of 1712	1992	hidec.exe	pev.exe
PID 1992 wrote to memory of 1712	1992	hidec.exe	pev.exe
PID 1068 wrote to memory of 1968	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1068 wrote to memory of 1968	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1068 wrote to memory of 1968	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1068 wrote to memory of 1968	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 1968 wrote to memory of 320	1968	n.pif	InfDefaultInstall.exe
PID 320 wrote to memory of 1520	320	InfDefaultInstall.exe	runonce.exe
PID 320 wrote to memory of 1520	320	InfDefaultInstall.exe	runonce.exe
PID 320 wrote to memory of 1520	320	InfDefaultInstall.exe	runonce.exe
PID 320 wrote to memory of 1520	320	InfDefaultInstall.exe	runonce.exe
PID 1520 wrote to memory of 1824	1520	runonce.exe	grpconv.exe
PID 1520 wrote to memory of 1824	1520	runonce.exe	grpconv.exe
PID 1520 wrote to memory of 1824	1520	runonce.exe	grpconv.exe
PID 1520 wrote to memory of 1824	1520	runonce.exe	grpconv.exe
PID 1068 wrote to memory of 1556	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1556	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1556	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1556	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 2004	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 2004	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 2004	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 2004	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1556 wrote to memory of 1772	1556	hidec.exe	PEV.exe
PID 1556 wrote to memory of 1772	1556	hidec.exe	PEV.exe
PID 1556 wrote to memory of 1772	1556	hidec.exe	PEV.exe
PID 1556 wrote to memory of 1772	1556	hidec.exe	PEV.exe
PID 1068 wrote to memory of 772	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 772	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 772	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 772	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1920	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1920	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1920	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1068 wrote to memory of 1920	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 772 wrote to memory of 108	772	hidec.exe	swreg.exe
PID 772 wrote to memory of 108	772	hidec.exe	swreg.exe
PID 772 wrote to memory of 108	772	hidec.exe	swreg.exe
PID 772 wrote to memory of 108	772	hidec.exe	swreg.exe
PID 2004 wrote to memory of 1900	2004	hidec.exe	swreg.exe
PID 2004 wrote to memory of 1900	2004	hidec.exe	swreg.exe
PID 2004 wrote to memory of 1900	2004	hidec.exe	swreg.exe
PID 2004 wrote to memory of 1900	2004	hidec.exe	swreg.exe
PID 1068 wrote to memory of 988	1068	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

PEV.exepev.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe

C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
"C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"
2⤵
- Executes dropped EXE
PID:1660

C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"
2⤵
- Executes dropped EXE
PID:1116

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"
3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:1824

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556

C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1772

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
2⤵
- Executes dropped EXE
PID:1920

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988

C:\32788R22FWJFW\SWXCACLS.cfxxe
32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
2⤵
- Executes dropped EXE
PID:1792

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
3⤵
- Executes dropped EXE
PID:1984

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
2⤵
- Executes dropped EXE
PID:1776

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
3⤵
- Executes dropped EXE
PID:1508

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
2⤵
- Executes dropped EXE
PID:324

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
3⤵
- Executes dropped EXE
PID:848

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
2⤵
- Executes dropped EXE
PID:1040

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
3⤵
- Executes dropped EXE
PID:1108

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
2⤵
- Executes dropped EXE
PID:1228

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
3⤵
- Executes dropped EXE
PID:976

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560

C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300

C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:1656

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
4⤵
- Executes dropped EXE
PID:940

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
4⤵
- Executes dropped EXE
PID:1888

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.2." OsVer
4⤵
- Executes dropped EXE
PID:1372

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
4⤵
- Executes dropped EXE
PID:936

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.00.2" OsVer
4⤵
- Executes dropped EXE
PID:1548

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -sq "currentversion.* 6.0" OsVer00
4⤵
- Executes dropped EXE
PID:1332

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
- Executes dropped EXE
PID:1940

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\chcp.com
CHCP 1252
4⤵
PID:960

C:\32788R22FWJFW\NircmdB.exe
NircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
4⤵
- Executes dropped EXE
PID:484

C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:700

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
4⤵
- Executes dropped EXE
PID:676

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
4⤵
- Executes dropped EXE
PID:1716

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.00.2" OsVer
4⤵
- Executes dropped EXE
PID:472

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.2." OsVer
4⤵
- Executes dropped EXE
PID:1348

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
4⤵
- Executes dropped EXE
PID:2016

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -sq "currentversion.* 6.0" OsVer00
4⤵
- Executes dropped EXE
PID:1200

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
- Executes dropped EXE
PID:1724

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
- Executes dropped EXE
PID:1100

C:\Windows\SysWOW64\chcp.com
CHCP 1252
4⤵
PID:1116

C:\32788R22FWJFW\NircmdB.exe
NircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
4⤵
PID:2040

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:968

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
4⤵
- Executes dropped EXE
PID:1824

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
4⤵
- Executes dropped EXE
PID:812

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService
4⤵
- Executes dropped EXE
PID:560

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType
4⤵
- Executes dropped EXE
PID:1688

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -isq "ProductType.*WinNT" WinNT00
4⤵
- Executes dropped EXE
PID:1228

C:\32788R22FWJFW\pev.exe
PEV UZIP License\pv_5_2_2.zip .\
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\32788R22FWJFW\sed.cfxxe
SED -r "/.*\t(.:\\[^\\]*)$/!d; s//\1/"
4⤵
PID:1588

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\Software\Swearware" /V LastDir /D "C:\"
4⤵
PID:1448

C:\32788R22FWJFW\sed.cfxxe
SED "/^PATH=/I!d; s///; s/\x22//g" Oripath
4⤵
PID:2032

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf -s+901 .\OriPath00
4⤵
PID:1612

C:\32788R22FWJFW\PV.cfxxe
PV -kf runonce.exe grpconv.exe procmon.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
4⤵
- Loads dropped DLL
PID:1996

C:\32788R22FWJFW\NirCmd.cfxxe
Nircmd win close class "#32770"
4⤵
PID:612

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe }
4⤵
PID:1840

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKCU\Console_combofixbackup"
4⤵
PID:332

C:\32788R22FWJFW\swreg.exe
SWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s
4⤵
PID:596

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 0
4⤵
PID:1172

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 0
4⤵
PID:1800

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP
4⤵
PID:688

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s//@CHCP.com /" NlsCodePageACP00
4⤵
PID:1908

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"
4⤵
PID:1656

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"
4⤵
- Modifies data under HKEY_USERS
PID:1824

C:\Windows\SysWOW64\chcp.com
CHCP.com 1252
4⤵
PID:1556

C:\32788R22FWJFW\swreg.exe
SWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default
4⤵
PID:700

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s///" NlsLanguage00
4⤵
PID:812

C:\32788R22FWJFW\grep.cfxxe
GREP -isq "09$" NlsLanguageDefault
4⤵
PID:1180

C:\32788R22FWJFW\swreg.exe
SWREG QUERY HKLM\Software\Swearware /v combofix_wow
4⤵
PID:772

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s/// " CFVersionOld00
4⤵
PID:900

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD LOOP 2 80 BEEP 3000 200
4⤵
PID:1884

C:\32788R22FWJFW\NirCmdC.cfxxe
NIRCMDC QBOXCOMTOP "The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE." "" FILLDELETE AbortP
4⤵
PID:396

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\Software\Swearware /v combofix_wow /d "09-10-14.09"
4⤵
PID:1888

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf -md5F33C19A7658BB2B004646C8EC8C9D922 .\md5sum.pif
4⤵
PID:1372

C:\32788R22FWJFW\PEV.cfxxe
PEV -tf --files:files.pif --c:##5#b#f#
4⤵
PID:1108

C:\32788R22FWJFW\grep.cfxxe
GREP -vs "^!MD5:" mdCheck00.dat
4⤵
PID:1604

C:\32788R22FWJFW\grep.cfxxe
GREP -Fvf md5sum.pif mdCheck0a.dat
4⤵
PID:2004

C:\32788R22FWJFW\swreg.exe
SWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q
4⤵
PID:2028

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
4⤵
PID:1632

C:\32788R22FWJFW\sed.cfxxe
SED -r "/^ (aux|midi|mixer|wave)([1-9] | ).*\\/I!d; s/%systemroot%/C:\\Windows/I" temp00
4⤵
PID:1348

C:\32788R22FWJFW\grep.cfxxe
GREP -F \ temp01
4⤵
PID:1688

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve
4⤵
PID:2024

C:\32788R22FWJFW\swreg.exe
SWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
4⤵
PID:1616

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit
4⤵
PID:2016

C:\32788R22FWJFW\grep.cfxxe
GREP -Fi "C:\Windows\system32\userinit.exe" Userinit00
4⤵
PID:1608

C:\32788R22FWJFW\swreg.exe
SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"
4⤵
- Modifies WinLogon for persistence
PID:1232

C:\32788R22FWJFW\sed.cfxxe
SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Users\\Admin\\AppData\\Local\\Temp\\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00
4⤵
PID:1940

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\FINDSTR.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:1200

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:1320

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:2000

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:1724

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.execf
C:\Windows\system32\cmd.execf /S /D /c" ECHO."C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe""
4⤵
PID:1340

C:\32788R22FWJFW\grep.cfxxe
GREP -Eisq "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$"
4⤵
PID:1244

C:\32788R22FWJFW\ATTRIB.cfxxe
ATTRIB +R "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
4⤵
PID:320

C:\32788R22FWJFW\grep.cfxxe
GREP -isq "\/cfDebug" sfx.cmd
4⤵
PID:1660

C:\32788R22FWJFW\grep.cfxxe
GREP "=.*[a-z]" sfx.cmd
4⤵
PID:868

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE
4⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
4⤵
PID:1116

C:\32788R22FWJFW\PV.cfxxe
PV -kf CSCRIPT.exe PV.*
4⤵
PID:1776

C:\32788R22FWJFW\grep.cfxxe
GREP -Fsf AVBlack resident.txt
4⤵
PID:1996

C:\32788R22FWJFW\grep.cfxxe
GREP -Fivf AVWhite resident.txt
4⤵
PID:1964

C:\32788R22FWJFW\grep.cfxxe
GREP -E "^(AV|SP): .*enabled\* \("
4⤵
PID:1016

C:\32788R22FWJFW\PV.cfxxe
PV -kf thguard.exe ntvdm.exe teatimer*.exe ad-watch*.exe SZServer.exe StopZilla*.exe userinit.exe procmon.exe txp1atform.exe SonndMan.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
4⤵
PID:1960

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
PID:848

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
PID:1828

C:\32788R22FWJFW\handle.cfxxe
HANDLE csrss.exe.mui
4⤵
PID:1520

C:\32788R22FWJFW\handle64.exe
HANDLE csrss.exe.mui
5⤵
- Drops file in Drivers directory
- Suspicious behavior: LoadsDriver
PID:760

C:\32788R22FWJFW\sed.cfxxe
SED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI00
4⤵
PID:1800

C:\32788R22FWJFW\sed.cfxxe
SED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" MUI01
4⤵
PID:688

C:\32788R22FWJFW\grep.cfxxe
GREP -Fx "REGEDIT4" Fin.dat
4⤵
PID:1908

C:\32788R22FWJFW\grep.cfxxe
GREP -ix "FileName=[-[:alnum:]@.]*" FileName
4⤵
PID:1656

C:\32788R22FWJFW\grep.cfxxe
GREP -ivx ComboFix DirName00
4⤵
PID:1824

C:\32788R22FWJFW\grep.cfxxe
GREP -Fisqx "23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c" DirName01
4⤵
PID:1556

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver
4⤵
PID:700

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver
4⤵
PID:812

C:\32788R22FWJFW\PEV.cfxxe
PEV UZIP "License\streamtools.zip" License
4⤵
PID:1180

C:\32788R22FWJFW\grep.cfxxe
GREP -Eisq "=.\/u.$" sfx.cmd
4⤵
PID:900

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c"
4⤵
PID:1832

C:\32788R22FWJFW\hidec.exe
HIDEC "C:\Windows\system32\CF32019.exe" /F:OFF /D /C C:\Start_.cmd
4⤵
PID:1252

C:\Windows\SysWOW64\CF32019.exe
"C:\Windows\system32\CF32019.exe" /F:OFF /D /C C:\Start_.cmd
5⤵
PID:1548

C:\32788R22FWJFW\ATTRIB.cfxxe
ATTRIB -H -S "C:\32788R22FWJFW\*"
6⤵
PID:1676

C:\Windows\SysWOW64\CF32019.exe
"C:\Windows\system32\CF32019.exe" /k c.bat
6⤵
PID:1604

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\grep.cfxxe
GREP -Fqi ".cfxxe;" temp00
7⤵
PID:1920

C:\Windows\SysWOW64\chcp.com
CHCP.com 1252
7⤵
PID:1300

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\NircmdB.exe
NircmdB.exe INFOBOX "Incompatible OS. ComboFix only works for Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
7⤵
PID:1628

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\PV.cfxxe
PV -kf cmd.exe cmd.execf Nircmd.cfxxe
6⤵
PID:1836

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD WAIT 2000
4⤵
PID:1372

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\32788R22FWJFW\NirCmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\Prep.inf
Filesize
2KB

MD5
1aa16d0f74468cf739427c823e44f693

SHA1
ea83e02989f1427fb0f2f1f5eb23e1e125cd5c78

SHA256
8419a839e8e106403e2dc8ae73ef9a627bb894b91a5b39e2ad88e62c9d66dc56

SHA512
0a403c320ce88bd7b0dcbfcf71e552d08e070fafefeada050c330f01e50cc542726812026d18b14216be49ca608197630b65f23fc32b89268b8bb86de7c35782

Download Submit
C:\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swxcacls.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
C:\32788R22FWJFW\swxcacls.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
C:\Windows\SysWOW64\cmd.execf
Filesize
295KB

MD5
8c1dc5d4fa169af131aefcb6ed77a52d

SHA1
817f3b766b2630b8f16d816535d79193f29e20a3

SHA256
e4b7858ee885ae247ce3f31d3a3d0939ceb587fa6780e5a0371c58aa7e9c536e

SHA512
00668dd92ec73bcedeeb6ce4c5bdb0a5abadbfce2ff600eee6376ff5ceb44eab1033f2e9588b5f4a7de8905d1a6e7032566befb03eaa9d1be0af6542ad59fab0

Download Submit
C:\\32788R22FWJFW\EXE.reg
Filesize
13KB

MD5
eea590e05f33b10a4872de498e19b47a

SHA1
7528ff7e2f6f499d5769f9e716d3b2d123015964

SHA256
ad056333abd166c63c9b2db588a07e75b834cbdd4fe7a7815bc253782d97cdcf

SHA512
4a017b5c45846d9144fb195205452ccd054c24eaef8d721f6bc7e48b6470fb25e9dd72f87e1d382deda4166158467b887a294e5141de9cf134739113a0ed67ec

Download Submit
\32788R22FWJFW\NirCmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\NirCmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
\32788R22FWJFW\swxcacls.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
\32788R22FWJFW\swxcacls.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
memory/108-101-0x0000000000000000-mapping.dmp

Download
memory/112-174-0x0000000000000000-mapping.dmp

Download
memory/112-176-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/320-79-0x0000000000000000-mapping.dmp

Download
memory/324-130-0x0000000000000000-mapping.dmp

Download
memory/472-195-0x0000000000000000-mapping.dmp

Download
memory/560-192-0x0000000000000000-mapping.dmp

Download
memory/560-145-0x0000000000000000-mapping.dmp

Download
memory/676-189-0x0000000000000000-mapping.dmp

Download
memory/700-186-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/700-183-0x0000000000000000-mapping.dmp

Download
memory/772-94-0x0000000000000000-mapping.dmp

Download
memory/812-187-0x0000000000000000-mapping.dmp

Download
memory/848-133-0x0000000000000000-mapping.dmp

Download
memory/936-194-0x0000000000000000-mapping.dmp

Download
memory/940-185-0x0000000000000000-mapping.dmp

Download
memory/968-178-0x0000000000000000-mapping.dmp

Download
memory/968-180-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/976-161-0x0000000000000000-mapping.dmp

Download
memory/988-104-0x0000000000000000-mapping.dmp

Download
memory/1040-136-0x0000000000000000-mapping.dmp

Download
memory/1068-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1108-214-0x00000000003D0000-0x0000000000494000-memory.dmp

Filesize
784KB

Download
memory/1108-140-0x0000000000000000-mapping.dmp

Download
memory/1116-60-0x0000000000000000-mapping.dmp

Download
memory/1180-217-0x0000000000BD0000-0x0000000000C94000-memory.dmp

Filesize
784KB

Download
memory/1200-202-0x0000000000000000-mapping.dmp

Download
memory/1228-139-0x0000000000000000-mapping.dmp

Download
memory/1228-201-0x0000000000000000-mapping.dmp

Download
memory/1244-115-0x0000000000000000-mapping.dmp

Download
memory/1300-151-0x0000000000000000-mapping.dmp

Download
memory/1332-196-0x0000000000000000-mapping.dmp

Download
memory/1340-168-0x0000000000000000-mapping.dmp

Download
memory/1344-173-0x0000000000000000-mapping.dmp

Download
memory/1344-179-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/1348-197-0x0000000000000000-mapping.dmp

Download
memory/1372-213-0x0000000000250000-0x0000000000314000-memory.dmp

Filesize
784KB

Download
memory/1372-193-0x0000000000000000-mapping.dmp

Download
memory/1508-127-0x0000000000000000-mapping.dmp

Download
memory/1520-81-0x0000000000000000-mapping.dmp

Download
memory/1548-190-0x0000000000000000-mapping.dmp

Download
memory/1556-86-0x0000000000000000-mapping.dmp

Download
memory/1592-203-0x0000000000000000-mapping.dmp

Download
memory/1592-159-0x0000000000000000-mapping.dmp

Download
memory/1592-207-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/1612-111-0x0000000000000000-mapping.dmp

Download
memory/1612-208-0x00000000001F0000-0x00000000002B4000-memory.dmp

Filesize
784KB

Download
memory/1656-181-0x0000000000000000-mapping.dmp

Download
memory/1656-184-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/1660-171-0x0000000000000000-mapping.dmp

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download
memory/1688-198-0x0000000000000000-mapping.dmp

Download
memory/1692-169-0x0000000000000000-mapping.dmp

Download
memory/1712-77-0x0000000000E70000-0x0000000000F34000-memory.dmp

Filesize
784KB

Download
memory/1712-70-0x0000000000000000-mapping.dmp

Download
memory/1716-191-0x0000000000000000-mapping.dmp

Download
memory/1772-90-0x0000000000000000-mapping.dmp

Download
memory/1772-116-0x00000000003F0000-0x00000000004B4000-memory.dmp

Filesize
784KB

Download
memory/1776-125-0x0000000000000000-mapping.dmp

Download
memory/1792-106-0x0000000000000000-mapping.dmp

Download
memory/1800-177-0x0000000001370000-0x0000000001434000-memory.dmp

Filesize
784KB

Download
memory/1800-175-0x0000000000000000-mapping.dmp

Download
memory/1824-83-0x0000000000000000-mapping.dmp

Download
memory/1824-182-0x0000000000000000-mapping.dmp

Download
memory/1840-210-0x0000000001350000-0x0000000001414000-memory.dmp

Filesize
784KB

Download
memory/1888-188-0x0000000000000000-mapping.dmp

Download
memory/1900-102-0x0000000000000000-mapping.dmp

Download
memory/1920-97-0x0000000000000000-mapping.dmp

Download
memory/1940-199-0x0000000000000000-mapping.dmp

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download
memory/1976-164-0x0000000000000000-mapping.dmp

Download
memory/1984-121-0x0000000000000000-mapping.dmp

Download
memory/1992-66-0x0000000000000000-mapping.dmp

Download
memory/2000-204-0x0000000000000000-mapping.dmp

Download
memory/2004-89-0x0000000000000000-mapping.dmp

Download
memory/2016-155-0x0000000000000000-mapping.dmp

Download
memory/2016-200-0x0000000000000000-mapping.dmp

Download
memory/2036-166-0x0000000000000000-mapping.dmp

Download
memory/2044-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads