23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c

Analysis

max time kernel
188s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Size

3.2MB
MD5

164522c5805de5f7392cf0f81e67914f
SHA1

11da4bf6263230b0f740d0f602ee7b9d5bd00800
SHA256

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c
SHA512

7c3c8dbe99a9f1c4b7e6e06ecd84a209c224ee41490e358b978de90ee0b42d354e8d6bdcb4932d8465b63b500b67c057992de8c2dbf61d7cfce0cfea8e5e05da

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

swreg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	swreg.exe

Modifies system executable filetype association 2 TTPs 40 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

pev.exepev.exepev.exePEV.exeInfDefaultInstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe

Disables RegEdit via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

handle64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP90.SYS handle64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP90.SYS	handle64.exe

Executes dropped EXE 64 IoCs

Processes:

iexplore.exeiexplore.exehidec.exepev.exen.pifhidec.exePEV.exehidec.exeswreg.exehidec.exeswreg.exehidec.exehidec.exeswreg.exeSWXCACLS.cfxxen.pifSWREG.exehidec.exeSWREG.exen.pifSWREG.exehidec.exeSWREG.exen.pifn.pifGSAR.cfxxenircmd.cfxxeGSAR.cfxxeswreg.exen.pifnircmd.cfxxen.pifcmd.execfcmd.execfcmd.execfpev.exepev.exepev.exepev.exepev.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxeswreg.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exeswreg.exegrep.cfxxeswreg.exeswreg.exeswreg.exeNircmdB.exeNircmdB.exeswreg.exe

pid	process
4536	iexplore.exe
5060	iexplore.exe
4620	hidec.exe
4588	pev.exe
4760	n.pif
452	hidec.exe
3720	PEV.exe
3968	hidec.exe
3448	swreg.exe
3556	hidec.exe
4692	swreg.exe
5092	hidec.exe
1460	hidec.exe
4440	swreg.exe
3140	SWXCACLS.cfxxe
2412	n.pif
4272	SWREG.exe
3516	hidec.exe
4768	SWREG.exe
956	n.pif
4396	SWREG.exe
2860	hidec.exe
3824	SWREG.exe
3748	n.pif
4484	n.pif
4532	GSAR.cfxxe
4064	nircmd.cfxxe
2480	GSAR.cfxxe
1324	swreg.exe
1816	n.pif
536	nircmd.cfxxe
2076	n.pif
5036	cmd.execf
1300	cmd.execf
1756	cmd.execf
3632	pev.exe
1392	pev.exe
3408	pev.exe
4780	pev.exe
4656	pev.exe
2680	pev.exe
4676	grep.cfxxe
4736	grep.cfxxe
4980	grep.cfxxe
2636	swreg.exe
452	grep.cfxxe
2812	grep.cfxxe
3196	grep.cfxxe
2932	swreg.exe
4724	grep.cfxxe
4796	swreg.exe
668	pev.exe
2420	grep.cfxxe
4164	grep.cfxxe
3260	grep.cfxxe
216	swreg.exe
4108	swreg.exe
1200	grep.cfxxe
2712	swreg.exe
2980	swreg.exe
1352	swreg.exe
5116	NircmdB.exe
1944	NircmdB.exe
4888	swreg.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\32788R22FWJFW\iexplore.exe	upx
C:\32788R22FWJFW\iexplore.exe	upx
C:\32788R22FWJFW\iexplore.exe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\NirCmd.cfxxe	upx
C:\32788R22FWJFW\nircmd.cfxxe	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\NirCmd.cfxxe	upx
C:\32788R22FWJFW\n.pif	upx
C:\32788R22FWJFW\swreg.exe	upx
C:\32788R22FWJFW\swreg.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exen.pif

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	n.pif

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InfDefaultInstall.exePEV.exepev.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex	PEV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	InfDefaultInstall.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run	pev.exe

Drops file in System32 directory 6 IoCs

Processes:

cmd.execfGSAR.cfxxeGSAR.cfxxe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\swsc.exe	cmd.execf
File created	C:\Windows\SysWOW64\CF5295.exe	cmd.execf
File opened for modification	C:\Windows\SysWOW64\CF5295.exe	cmd.execf
File created	C:\Windows\SysWOW64\cmd.execf	GSAR.cfxxe
File opened for modification	C:\Windows\SysWOW64\cmd.execf	GSAR.cfxxe
File created	C:\Windows\SysWOW64\swsc.exe	cmd.execf

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

swreg.exePEV.exepev.exepev.exepev.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "1252"	swreg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	PEV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	swreg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	PEV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1"	pev.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	pev.exe

Modifies registry class 64 IoCs

Processes:

PEV.exepev.exepev.exeInfDefaultInstall.exepev.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	InfDefaultInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	pev.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	pev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	PEV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	pev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pev.exepev.exepev.exe

pid	process
1392	pev.exe
1392	pev.exe
1392	pev.exe
1392	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
1392	pev.exe
3408	pev.exe
3408	pev.exe
3408	pev.exe
3408	pev.exe
3408	pev.exe
3408	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe
3632	pev.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

handle64.exe

pid process

928 handle64.exe

pid	process
928	handle64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pev.exeswreg.exeswreg.exeswreg.exePEV.exeSWXCACLS.cfxxe

description	pid	process
Token: SeDebugPrivilege	4588	pev.exe
Token: SeSecurityPrivilege	3448	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4440	swreg.exe
Token: SeRestorePrivilege	4440	swreg.exe
Token: SeSecurityPrivilege	4440	swreg.exe
Token: SeDebugPrivilege	3720	PEV.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	3140	SWXCACLS.cfxxe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe
Token: SeTakeOwnershipPrivilege	4692	swreg.exe
Token: SeRestorePrivilege	4692	swreg.exe
Token: SeSecurityPrivilege	4692	swreg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exen.pifInfDefaultInstall.exehidec.exerunonce.exehidec.exehidec.exehidec.exehidec.exen.pifhidec.exe

description	pid	process	target process
PID 1416 wrote to memory of 4536	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 4536	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 4536	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 5060	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 5060	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 5060	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	iexplore.exe
PID 1416 wrote to memory of 4620	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 4620	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 4620	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 4620 wrote to memory of 4588	4620	hidec.exe	pev.exe
PID 4620 wrote to memory of 4588	4620	hidec.exe	pev.exe
PID 4620 wrote to memory of 4588	4620	hidec.exe	pev.exe
PID 1416 wrote to memory of 4760	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1416 wrote to memory of 4760	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1416 wrote to memory of 4760	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 4760 wrote to memory of 5100	4760	n.pif	InfDefaultInstall.exe
PID 4760 wrote to memory of 5100	4760	n.pif	InfDefaultInstall.exe
PID 4760 wrote to memory of 5100	4760	n.pif	InfDefaultInstall.exe
PID 5100 wrote to memory of 788	5100	InfDefaultInstall.exe	runonce.exe
PID 5100 wrote to memory of 788	5100	InfDefaultInstall.exe	runonce.exe
PID 5100 wrote to memory of 788	5100	InfDefaultInstall.exe	runonce.exe
PID 1416 wrote to memory of 452	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 452	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 452	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 452 wrote to memory of 3720	452	hidec.exe	PEV.exe
PID 452 wrote to memory of 3720	452	hidec.exe	PEV.exe
PID 452 wrote to memory of 3720	452	hidec.exe	PEV.exe
PID 1416 wrote to memory of 3968	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3968	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3968	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 788 wrote to memory of 1844	788	runonce.exe	grpconv.exe
PID 788 wrote to memory of 1844	788	runonce.exe	grpconv.exe
PID 788 wrote to memory of 1844	788	runonce.exe	grpconv.exe
PID 3968 wrote to memory of 3448	3968	hidec.exe	swreg.exe
PID 3968 wrote to memory of 3448	3968	hidec.exe	swreg.exe
PID 3968 wrote to memory of 3448	3968	hidec.exe	swreg.exe
PID 1416 wrote to memory of 3556	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3556	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3556	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 5092	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 5092	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 5092	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 3556 wrote to memory of 4692	3556	hidec.exe	swreg.exe
PID 3556 wrote to memory of 4692	3556	hidec.exe	swreg.exe
PID 3556 wrote to memory of 4692	3556	hidec.exe	swreg.exe
PID 1416 wrote to memory of 1460	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 1460	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 1460	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 5092 wrote to memory of 4440	5092	hidec.exe	swreg.exe
PID 5092 wrote to memory of 4440	5092	hidec.exe	swreg.exe
PID 5092 wrote to memory of 4440	5092	hidec.exe	swreg.exe
PID 1460 wrote to memory of 3140	1460	hidec.exe	SWXCACLS.cfxxe
PID 1460 wrote to memory of 3140	1460	hidec.exe	SWXCACLS.cfxxe
PID 1460 wrote to memory of 3140	1460	hidec.exe	SWXCACLS.cfxxe
PID 1416 wrote to memory of 2412	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1416 wrote to memory of 2412	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 1416 wrote to memory of 2412	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	n.pif
PID 2412 wrote to memory of 4272	2412	n.pif	SWREG.exe
PID 2412 wrote to memory of 4272	2412	n.pif	SWREG.exe
PID 2412 wrote to memory of 4272	2412	n.pif	SWREG.exe
PID 1416 wrote to memory of 3516	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3516	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 1416 wrote to memory of 3516	1416	23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe	hidec.exe
PID 3516 wrote to memory of 4768	3516	hidec.exe	SWREG.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

PEV.exepev.exepev.exepev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	PEV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pev.exe

C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
"C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1416

C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"
2⤵
- Executes dropped EXE
PID:4536

C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"
2⤵
- Executes dropped EXE
PID:5060

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"
3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:1844

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452

C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3720

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460

C:\32788R22FWJFW\SWXCACLS.cfxxe
32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
3⤵
- Executes dropped EXE
PID:4272

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
3⤵
- Executes dropped EXE
PID:4768

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
2⤵
- Executes dropped EXE
PID:956

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
3⤵
- Executes dropped EXE
PID:4396

C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
2⤵
- Executes dropped EXE
PID:2860

C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
3⤵
- Executes dropped EXE
PID:3824

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
2⤵
- Executes dropped EXE
PID:3748

C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
3⤵
- Executes dropped EXE
PID:1324

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
2⤵
- Executes dropped EXE
PID:4484

C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532

C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
2⤵
- Executes dropped EXE
PID:4064

C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&1
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&1
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:2680

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService
4⤵
- Executes dropped EXE
PID:2636

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType
4⤵
- Executes dropped EXE
PID:2932

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -isq "ProductType.*WinNT" WinNT00
4⤵
- Executes dropped EXE
PID:4724

C:\32788R22FWJFW\pev.exe
PEV UZIP License\pv_5_2_2.zip .\
4⤵
- Executes dropped EXE
PID:668

C:\32788R22FWJFW\sed.cfxxe
SED -r "/.*\t(.:\\[^\\]*)$/!d; s//\1/"
4⤵
PID:1096

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\Software\Swearware" /V LastDir /D "C:\"
4⤵
- Executes dropped EXE
PID:4888

C:\32788R22FWJFW\sed.cfxxe
SED "/^PATH=/I!d; s///; s/\x22//g" Oripath
4⤵
PID:4812

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf -s+901 .\OriPath00
4⤵
PID:4596

C:\32788R22FWJFW\PV.cfxxe
PV -kf runonce.exe grpconv.exe procmon.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
4⤵
PID:620

C:\32788R22FWJFW\NirCmd.cfxxe
Nircmd win close class "#32770"
4⤵
PID:4392

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe }
4⤵
PID:4376

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKCU\Console_combofixbackup"
4⤵
PID:2860

C:\32788R22FWJFW\swreg.exe
SWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s
4⤵
PID:3820

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 0
4⤵
PID:4464

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 0
4⤵
PID:3772

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP
4⤵
PID:3760

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s//@CHCP.com /" NlsCodePageACP00
4⤵
PID:4860

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"
4⤵
PID:2752

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"
4⤵
- Modifies data under HKEY_USERS
PID:1920

C:\Windows\SysWOW64\chcp.com
CHCP.com 1252
4⤵
PID:1924

C:\32788R22FWJFW\swreg.exe
SWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default
4⤵
PID:3600

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s///" NlsLanguage00
4⤵
PID:968

C:\32788R22FWJFW\grep.cfxxe
GREP -isq "09$" NlsLanguageDefault
4⤵
PID:1468

C:\32788R22FWJFW\swreg.exe
SWREG QUERY HKLM\Software\Swearware /v combofix_wow
4⤵
PID:3000

C:\32788R22FWJFW\sed.cfxxe
SED "/.* /!d; s/// " CFVersionOld00
4⤵
PID:992

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD LOOP 2 80 BEEP 3000 200
4⤵
PID:1444

C:\32788R22FWJFW\NirCmdC.cfxxe
NIRCMDC QBOXCOMTOP "The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE." "" FILLDELETE AbortP
4⤵
PID:1492

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\Software\Swearware /v combofix_wow /d "09-10-14.09"
4⤵
PID:4952

C:\32788R22FWJFW\PEV.cfxxe
PEV -rtf -md5F33C19A7658BB2B004646C8EC8C9D922 .\md5sum.pif
4⤵
PID:4352

C:\32788R22FWJFW\PEV.cfxxe
PEV -tf --files:files.pif --c:##5#b#f#
4⤵
PID:2468

C:\32788R22FWJFW\grep.cfxxe
GREP -vs "^!MD5:" mdCheck00.dat
4⤵
PID:4528

C:\32788R22FWJFW\grep.cfxxe
GREP -Fvf md5sum.pif mdCheck0a.dat
4⤵
PID:4444

C:\32788R22FWJFW\swreg.exe
SWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q
4⤵
PID:1688

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
4⤵
PID:3564

C:\32788R22FWJFW\sed.cfxxe
SED -r "/^ (aux|midi|mixer|wave)([1-9] | ).*\\/I!d; s/%systemroot%/C:\\Windows/I" temp00
4⤵
PID:3100

C:\32788R22FWJFW\grep.cfxxe
GREP -F \ temp01
4⤵
PID:4876

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve
4⤵
PID:3300

C:\32788R22FWJFW\swreg.exe
SWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
4⤵
PID:1464

C:\32788R22FWJFW\swreg.exe
SWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit
4⤵
PID:1432

C:\32788R22FWJFW\grep.cfxxe
GREP -Fi "C:\Windows\system32\userinit.exe" Userinit00
4⤵
PID:1392

C:\32788R22FWJFW\swreg.exe
SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"
4⤵
- Modifies WinLogon for persistence
PID:2700

C:\32788R22FWJFW\sed.cfxxe
SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Users\\Admin\\AppData\\Local\\Temp\\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00
4⤵
PID:4536

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\FINDSTR.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:4684

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:4656

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:4676

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:5068

C:\32788R22FWJFW\swxcacls.cfxxe
SWXCACLS C:\Windows\system32\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
4⤵
PID:2096

C:\Windows\SysWOW64\cmd.execf
C:\Windows\system32\cmd.execf /S /D /c" ECHO."C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe""
4⤵
PID:4736

C:\32788R22FWJFW\grep.cfxxe
GREP -Eisq "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$"
4⤵
PID:1952

C:\32788R22FWJFW\ATTRIB.cfxxe
ATTRIB +R "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"
4⤵
PID:1592

C:\32788R22FWJFW\grep.cfxxe
GREP -isq "\/cfDebug" sfx.cmd
4⤵
PID:2032

C:\32788R22FWJFW\grep.cfxxe
GREP "=.*[a-z]" sfx.cmd
4⤵
PID:3968

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE
4⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
4⤵
PID:4224

C:\32788R22FWJFW\PV.cfxxe
PV -kf CSCRIPT.exe PV.*
4⤵
PID:5096

C:\32788R22FWJFW\grep.cfxxe
GREP -Fsf AVBlack resident.txt
4⤵
PID:1460

C:\32788R22FWJFW\grep.cfxxe
GREP -Fivf AVWhite resident.txt
4⤵
PID:3104

C:\32788R22FWJFW\grep.cfxxe
GREP -E "^(AV|SP): .*enabled\* \("
4⤵
PID:3512

C:\32788R22FWJFW\PV.cfxxe
PV -kf thguard.exe ntvdm.exe teatimer*.exe ad-watch*.exe SZServer.exe StopZilla*.exe userinit.exe procmon.exe txp1atform.exe SonndMan.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
4⤵
PID:2116

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
PID:3932

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
PID:4424

C:\32788R22FWJFW\handle.cfxxe
HANDLE csrss.exe.mui
4⤵
PID:4344

C:\32788R22FWJFW\handle64.exe
HANDLE csrss.exe.mui
5⤵
- Drops file in Drivers directory
- Suspicious behavior: LoadsDriver
PID:928

C:\32788R22FWJFW\sed.cfxxe
SED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI00
4⤵
PID:3456

C:\32788R22FWJFW\sed.cfxxe
SED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" MUI01
4⤵
PID:3220

C:\32788R22FWJFW\grep.cfxxe
GREP -Fx "REGEDIT4" Fin.dat
4⤵
PID:2724

C:\32788R22FWJFW\grep.cfxxe
GREP -ix "FileName=[-[:alnum:]@.]*" FileName
4⤵
PID:3140

C:\32788R22FWJFW\grep.cfxxe
GREP -ivx ComboFix DirName00
4⤵
PID:788

C:\32788R22FWJFW\grep.cfxxe
GREP -Fisqx "23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c" DirName01
4⤵
PID:1328

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver
4⤵
PID:1428

C:\32788R22FWJFW\swreg.exe
SWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver
4⤵
PID:3888

C:\32788R22FWJFW\PEV.cfxxe
PEV UZIP "License\streamtools.zip" License
4⤵
PID:4280

C:\32788R22FWJFW\grep.cfxxe
GREP -Eisq "=.\/u.$" sfx.cmd
4⤵
PID:1708

C:\32788R22FWJFW\swreg.exe
SWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c"
4⤵
PID:2144

C:\32788R22FWJFW\hidec.exe
HIDEC "C:\Windows\system32\CF5295.exe" /F:OFF /D /C C:\Start_.cmd
4⤵
PID:208

C:\Windows\SysWOW64\CF5295.exe
"C:\Windows\system32\CF5295.exe" /F:OFF /D /C C:\Start_.cmd
5⤵
PID:4652

C:\32788R22FWJFW\ATTRIB.cfxxe
ATTRIB -H -S "C:\32788R22FWJFW\*"
6⤵
PID:4636

C:\Windows\SysWOW64\CF5295.exe
"C:\Windows\system32\CF5295.exe" /k c.bat
6⤵
PID:1312

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\grep.cfxxe
GREP -Fqi ".cfxxe;" temp00
7⤵
PID:3204

C:\Windows\SysWOW64\chcp.com
CHCP.com 1252
7⤵
PID:3684

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\NircmdB.exe
NircmdB.exe INFOBOX "Incompatible OS. ComboFix only works for Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
7⤵
PID:1980

C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\PV.cfxxe
PV -kf cmd.exe cmd.execf Nircmd.cfxxe
6⤵
PID:1776

C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD WAIT 2000
4⤵
PID:2692

C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
2⤵
- Executes dropped EXE
PID:536

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
3⤵
- Executes dropped EXE
PID:5036

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1392

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:4656

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
4⤵
- Executes dropped EXE
PID:4676

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
4⤵
- Executes dropped EXE
PID:4980

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.00.2" OsVer
4⤵
- Executes dropped EXE
PID:452

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.2." OsVer
4⤵
- Executes dropped EXE
PID:2812

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
4⤵
- Executes dropped EXE
PID:4796

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -sq "currentversion.* 6.0" OsVer00
4⤵
- Executes dropped EXE
PID:4164

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
- Executes dropped EXE
PID:4108

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\chcp.com
CHCP 1252
4⤵
PID:4460

C:\32788R22FWJFW\NircmdB.exe
NircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
4⤵
- Executes dropped EXE
PID:5116

C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\SysWOW64\cmd.execf
"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd
3⤵
- Executes dropped EXE
PID:1300

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:4780

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
4⤵
- Executes dropped EXE
PID:4736

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
4⤵
- Executes dropped EXE
PID:3196

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.00.2" OsVer
4⤵
- Executes dropped EXE
PID:2420

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.2." OsVer
4⤵
- Executes dropped EXE
PID:3260

C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
4⤵
- Executes dropped EXE
PID:216

C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -sq "currentversion.* 6.0" OsVer00
4⤵
- Executes dropped EXE
PID:1200

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q
4⤵
- Executes dropped EXE
PID:2712

C:\32788R22FWJFW\swreg.exe
SWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q
4⤵
- Executes dropped EXE
PID:1352

C:\Windows\SysWOW64\chcp.com
CHCP 1252
4⤵
PID:4916

C:\32788R22FWJFW\NircmdB.exe
NircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
4⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\32788R22FWJFW\GSAR.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\NirCmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\NirCmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\OsVer
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\32788R22FWJFW\OsVer
Filesize
104B

MD5
81107438325dd733bb955160756d8c08

SHA1
fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca

SHA256
29f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6

SHA512
d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed

Download Submit
C:\32788R22FWJFW\P.cmd
Filesize
15KB

MD5
c5cd2aa27fcd9aaa84b947a388d5b146

SHA1
7b94092bfe4a1990496d019b66aaeecf99bca572

SHA256
dcb167624c5e36a3f310dec9700b2c782acbda30bd6d80996d66c20f65fc1ee2

SHA512
c296e490be1ad3fedbbb4b820ee463e2c9e8b979a0d1663e38bfd22c4b5785f7aa0257d30122802152107e8e39ef5f0f16aa45e500c9e0c52d36881fe3119f09

Download Submit
C:\32788R22FWJFW\Prep.inf
Filesize
2KB

MD5
1aa16d0f74468cf739427c823e44f693

SHA1
ea83e02989f1427fb0f2f1f5eb23e1e125cd5c78

SHA256
8419a839e8e106403e2dc8ae73ef9a627bb894b91a5b39e2ad88e62c9d66dc56

SHA512
0a403c320ce88bd7b0dcbfcf71e552d08e070fafefeada050c330f01e50cc542726812026d18b14216be49ca608197630b65f23fc32b89268b8bb86de7c35782

Download Submit
C:\32788R22FWJFW\SWXCACLS.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\grep.cfxxe
Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\gsar.cfxxe
Filesize
15KB

MD5
d6a005f8facff88e260688ddb7ae00c1

SHA1
4e22c7a9fc89587addc4d5ddab71199e08ea5b50

SHA256
0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49

SHA512
7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\iexplore.exe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\n.pif
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\nircmd.cfxxe
Filesize
30KB

MD5
ae72e8619cb31d84da25e2435e55003c

SHA1
2ed893a9aa82da248b5f4344819fcf6ad2d28240

SHA256
eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24

SHA512
1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\pev.exe
Filesize
231KB

MD5
3b44e6b3653fabdf876bc2b13c434e62

SHA1
521e5e737c2b22ee61165320ea20e6ac596d84e9

SHA256
21793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797

SHA512
9df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swreg.exe
Filesize
158KB

MD5
01d95a1f8cf13d07cc564aabb36bcc0b

SHA1
be229bde90b82d21fe94c67e2b096334e93d78c2

SHA256
1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3

SHA512
342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

Download Submit
C:\32788R22FWJFW\swxcacls.cfxxe
Filesize
207KB

MD5
b1a9cf0b6f80611d31987c247ec630b4

SHA1
7299b3c370254e1e4bade26dc5fec818989d836a

SHA256
933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef

SHA512
152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

Download Submit
C:\Windows\SysWOW64\cmd.execf
Filesize
231KB

MD5
29824dce144b6134797729005107ee1f

SHA1
d0bb9999154b87c32658b55c5c3bc2c5cbe156b6

SHA256
bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5

SHA512
f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

Download Submit
C:\Windows\SysWOW64\cmd.execf
Filesize
231KB

MD5
29824dce144b6134797729005107ee1f

SHA1
d0bb9999154b87c32658b55c5c3bc2c5cbe156b6

SHA256
bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5

SHA512
f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

Download Submit
C:\Windows\SysWOW64\cmd.execf
Filesize
231KB

MD5
29824dce144b6134797729005107ee1f

SHA1
d0bb9999154b87c32658b55c5c3bc2c5cbe156b6

SHA256
bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5

SHA512
f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

Download Submit
C:\Windows\SysWOW64\cmd.execf
Filesize
231KB

MD5
29824dce144b6134797729005107ee1f

SHA1
d0bb9999154b87c32658b55c5c3bc2c5cbe156b6

SHA256
bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5

SHA512
f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

Download Submit
C:\\32788R22FWJFW\EXE.reg
Filesize
13KB

MD5
eea590e05f33b10a4872de498e19b47a

SHA1
7528ff7e2f6f499d5769f9e716d3b2d123015964

SHA256
ad056333abd166c63c9b2db588a07e75b834cbdd4fe7a7815bc253782d97cdcf

SHA512
4a017b5c45846d9144fb195205452ccd054c24eaef8d721f6bc7e48b6470fb25e9dd72f87e1d382deda4166158467b887a294e5141de9cf134739113a0ed67ec

Download Submit
memory/216-261-0x0000000000000000-mapping.dmp

Download
memory/452-246-0x0000000000000000-mapping.dmp

Download
memory/452-149-0x0000000000000000-mapping.dmp

Download
memory/536-207-0x0000000000000000-mapping.dmp

Download
memory/668-267-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/668-258-0x0000000000000000-mapping.dmp

Download
memory/788-148-0x0000000000000000-mapping.dmp

Download
memory/956-182-0x0000000000000000-mapping.dmp

Download
memory/1200-263-0x0000000000000000-mapping.dmp

Download
memory/1300-212-0x0000000000000000-mapping.dmp

Download
memory/1324-203-0x0000000000000000-mapping.dmp

Download
memory/1352-266-0x0000000000000000-mapping.dmp

Download
memory/1392-224-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/1392-220-0x0000000000000000-mapping.dmp

Download
memory/1460-164-0x0000000000000000-mapping.dmp

Download
memory/1756-213-0x0000000000000000-mapping.dmp

Download
memory/1816-205-0x0000000000000000-mapping.dmp

Download
memory/1844-155-0x0000000000000000-mapping.dmp

Download
memory/2076-209-0x0000000000000000-mapping.dmp

Download
memory/2412-172-0x0000000000000000-mapping.dmp

Download
memory/2420-257-0x0000000000000000-mapping.dmp

Download
memory/2468-271-0x0000000000910000-0x00000000009D4000-memory.dmp

Filesize
784KB

Download
memory/2480-200-0x0000000000000000-mapping.dmp

Download
memory/2636-245-0x0000000000000000-mapping.dmp

Download
memory/2680-231-0x0000000000000000-mapping.dmp

Download
memory/2680-234-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/2712-265-0x0000000000000000-mapping.dmp

Download
memory/2812-250-0x0000000000000000-mapping.dmp

Download
memory/2860-186-0x0000000000000000-mapping.dmp

Download
memory/2932-253-0x0000000000000000-mapping.dmp

Download
memory/2980-264-0x0000000000000000-mapping.dmp

Download
memory/3140-169-0x0000000000000000-mapping.dmp

Download
memory/3196-249-0x0000000000000000-mapping.dmp

Download
memory/3260-260-0x0000000000000000-mapping.dmp

Download
memory/3408-221-0x0000000000000000-mapping.dmp

Download
memory/3408-228-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/3448-156-0x0000000000000000-mapping.dmp

Download
memory/3516-178-0x0000000000000000-mapping.dmp

Download
memory/3556-157-0x0000000000000000-mapping.dmp

Download
memory/3632-225-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/3632-218-0x0000000000000000-mapping.dmp

Download
memory/3720-177-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/3720-151-0x0000000000000000-mapping.dmp

Download
memory/3748-190-0x0000000000000000-mapping.dmp

Download
memory/3824-188-0x0000000000000000-mapping.dmp

Download
memory/3968-152-0x0000000000000000-mapping.dmp

Download
memory/4064-197-0x0000000000000000-mapping.dmp

Download
memory/4108-262-0x0000000000000000-mapping.dmp

Download
memory/4164-259-0x0000000000000000-mapping.dmp

Download
memory/4272-175-0x0000000000000000-mapping.dmp

Download
memory/4280-272-0x0000000000910000-0x00000000009D4000-memory.dmp

Filesize
784KB

Download
memory/4352-270-0x0000000000910000-0x00000000009D4000-memory.dmp

Filesize
784KB

Download
memory/4376-269-0x0000000000910000-0x00000000009D4000-memory.dmp

Filesize
784KB

Download
memory/4396-184-0x0000000000000000-mapping.dmp

Download
memory/4440-165-0x0000000000000000-mapping.dmp

Download
memory/4484-192-0x0000000000000000-mapping.dmp

Download
memory/4532-194-0x0000000000000000-mapping.dmp

Download
memory/4536-131-0x0000000000000000-mapping.dmp

Download
memory/4588-139-0x0000000000000000-mapping.dmp

Download
memory/4588-145-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/4596-268-0x0000000000910000-0x00000000009D4000-memory.dmp

Filesize
784KB

Download
memory/4620-136-0x0000000000000000-mapping.dmp

Download
memory/4656-229-0x0000000000000000-mapping.dmp

Download
memory/4656-235-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/4676-236-0x0000000000000000-mapping.dmp

Download
memory/4692-161-0x0000000000000000-mapping.dmp

Download
memory/4724-255-0x0000000000000000-mapping.dmp

Download
memory/4736-240-0x0000000000000000-mapping.dmp

Download
memory/4760-142-0x0000000000000000-mapping.dmp

Download
memory/4768-180-0x0000000000000000-mapping.dmp

Download
memory/4780-226-0x0000000000000000-mapping.dmp

Download
memory/4780-233-0x0000000000F20000-0x0000000000FE4000-memory.dmp

Filesize
784KB

Download
memory/4796-256-0x0000000000000000-mapping.dmp

Download
memory/4980-242-0x0000000000000000-mapping.dmp

Download
memory/5036-211-0x0000000000000000-mapping.dmp

Download
memory/5060-134-0x0000000000000000-mapping.dmp

Download
memory/5092-160-0x0000000000000000-mapping.dmp

Download
memory/5100-147-0x0000000000000000-mapping.dmp

Download