Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
Resource
win10v2004-20220414-en
General
-
Target
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe
-
Size
3.2MB
-
MD5
164522c5805de5f7392cf0f81e67914f
-
SHA1
11da4bf6263230b0f740d0f602ee7b9d5bd00800
-
SHA256
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c
-
SHA512
7c3c8dbe99a9f1c4b7e6e06ecd84a209c224ee41490e358b978de90ee0b42d354e8d6bdcb4932d8465b63b500b67c057992de8c2dbf61d7cfce0cfea8e5e05da
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
swreg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe," swreg.exe -
Modifies system executable filetype association 2 TTPs 40 IoCs
Processes:
pev.exepev.exepev.exePEV.exeInfDefaultInstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe -
Disables RegEdit via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
handle64.exedescription ioc process File created C:\Windows\system32\Drivers\PROCEXP90.SYS handle64.exe -
Executes dropped EXE 64 IoCs
Processes:
iexplore.exeiexplore.exehidec.exepev.exen.pifhidec.exePEV.exehidec.exeswreg.exehidec.exeswreg.exehidec.exehidec.exeswreg.exeSWXCACLS.cfxxen.pifSWREG.exehidec.exeSWREG.exen.pifSWREG.exehidec.exeSWREG.exen.pifn.pifGSAR.cfxxenircmd.cfxxeGSAR.cfxxeswreg.exen.pifnircmd.cfxxen.pifcmd.execfcmd.execfcmd.execfpev.exepev.exepev.exepev.exepev.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exegrep.cfxxeswreg.exepev.exegrep.cfxxegrep.cfxxegrep.cfxxeswreg.exeswreg.exegrep.cfxxeswreg.exeswreg.exeswreg.exeNircmdB.exeNircmdB.exeswreg.exepid process 4536 iexplore.exe 5060 iexplore.exe 4620 hidec.exe 4588 pev.exe 4760 n.pif 452 hidec.exe 3720 PEV.exe 3968 hidec.exe 3448 swreg.exe 3556 hidec.exe 4692 swreg.exe 5092 hidec.exe 1460 hidec.exe 4440 swreg.exe 3140 SWXCACLS.cfxxe 2412 n.pif 4272 SWREG.exe 3516 hidec.exe 4768 SWREG.exe 956 n.pif 4396 SWREG.exe 2860 hidec.exe 3824 SWREG.exe 3748 n.pif 4484 n.pif 4532 GSAR.cfxxe 4064 nircmd.cfxxe 2480 GSAR.cfxxe 1324 swreg.exe 1816 n.pif 536 nircmd.cfxxe 2076 n.pif 5036 cmd.execf 1300 cmd.execf 1756 cmd.execf 3632 pev.exe 1392 pev.exe 3408 pev.exe 4780 pev.exe 4656 pev.exe 2680 pev.exe 4676 grep.cfxxe 4736 grep.cfxxe 4980 grep.cfxxe 2636 swreg.exe 452 grep.cfxxe 2812 grep.cfxxe 3196 grep.cfxxe 2932 swreg.exe 4724 grep.cfxxe 4796 swreg.exe 668 pev.exe 2420 grep.cfxxe 4164 grep.cfxxe 3260 grep.cfxxe 216 swreg.exe 4108 swreg.exe 1200 grep.cfxxe 2712 swreg.exe 2980 swreg.exe 1352 swreg.exe 5116 NircmdB.exe 1944 NircmdB.exe 4888 swreg.exe -
Sets file execution options in registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule C:\32788R22FWJFW\iexplore.exe upx C:\32788R22FWJFW\iexplore.exe upx C:\32788R22FWJFW\iexplore.exe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\NirCmd.cfxxe upx C:\32788R22FWJFW\nircmd.cfxxe upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\NirCmd.cfxxe upx C:\32788R22FWJFW\n.pif upx C:\32788R22FWJFW\swreg.exe upx C:\32788R22FWJFW\swreg.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exen.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation n.pif -
Adds Run key to start application 2 TTPs 19 IoCs
Processes:
InfDefaultInstall.exePEV.exepev.exepev.exepev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex PEV.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runonceex pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" InfDefaultInstall.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run pev.exe -
Drops file in System32 directory 6 IoCs
Processes:
cmd.execfGSAR.cfxxeGSAR.cfxxedescription ioc process File opened for modification C:\Windows\SysWOW64\swsc.exe cmd.execf File created C:\Windows\SysWOW64\CF5295.exe cmd.execf File opened for modification C:\Windows\SysWOW64\CF5295.exe cmd.execf File created C:\Windows\SysWOW64\cmd.execf GSAR.cfxxe File opened for modification C:\Windows\SysWOW64\cmd.execf GSAR.cfxxe File created C:\Windows\SysWOW64\swsc.exe cmd.execf -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
swreg.exePEV.exepev.exepev.exepev.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Console\CodePage = "1252" swreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" PEV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Key created \REGISTRY\USER\.DEFAULT\Console swreg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor PEV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" pev.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.exe -
Modifies registry class 64 IoCs
Processes:
PEV.exepev.exepev.exeInfDefaultInstall.exepev.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe InfDefaultInstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" pev.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" InfDefaultInstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" pev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pev.exepev.exepev.exepid process 1392 pev.exe 1392 pev.exe 1392 pev.exe 1392 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 1392 pev.exe 3408 pev.exe 3408 pev.exe 3408 pev.exe 3408 pev.exe 3408 pev.exe 3408 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe 3632 pev.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
handle64.exepid process 928 handle64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
pev.exeswreg.exeswreg.exeswreg.exePEV.exeSWXCACLS.cfxxedescription pid process Token: SeDebugPrivilege 4588 pev.exe Token: SeSecurityPrivilege 3448 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4440 swreg.exe Token: SeRestorePrivilege 4440 swreg.exe Token: SeSecurityPrivilege 4440 swreg.exe Token: SeDebugPrivilege 3720 PEV.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 3140 SWXCACLS.cfxxe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe Token: SeTakeOwnershipPrivilege 4692 swreg.exe Token: SeRestorePrivilege 4692 swreg.exe Token: SeSecurityPrivilege 4692 swreg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exehidec.exen.pifInfDefaultInstall.exehidec.exerunonce.exehidec.exehidec.exehidec.exehidec.exen.pifhidec.exedescription pid process target process PID 1416 wrote to memory of 4536 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 4536 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 4536 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 5060 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 5060 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 5060 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe iexplore.exe PID 1416 wrote to memory of 4620 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 4620 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 4620 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 4620 wrote to memory of 4588 4620 hidec.exe pev.exe PID 4620 wrote to memory of 4588 4620 hidec.exe pev.exe PID 4620 wrote to memory of 4588 4620 hidec.exe pev.exe PID 1416 wrote to memory of 4760 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1416 wrote to memory of 4760 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1416 wrote to memory of 4760 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 4760 wrote to memory of 5100 4760 n.pif InfDefaultInstall.exe PID 4760 wrote to memory of 5100 4760 n.pif InfDefaultInstall.exe PID 4760 wrote to memory of 5100 4760 n.pif InfDefaultInstall.exe PID 5100 wrote to memory of 788 5100 InfDefaultInstall.exe runonce.exe PID 5100 wrote to memory of 788 5100 InfDefaultInstall.exe runonce.exe PID 5100 wrote to memory of 788 5100 InfDefaultInstall.exe runonce.exe PID 1416 wrote to memory of 452 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 452 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 452 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 452 wrote to memory of 3720 452 hidec.exe PEV.exe PID 452 wrote to memory of 3720 452 hidec.exe PEV.exe PID 452 wrote to memory of 3720 452 hidec.exe PEV.exe PID 1416 wrote to memory of 3968 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3968 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3968 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 788 wrote to memory of 1844 788 runonce.exe grpconv.exe PID 788 wrote to memory of 1844 788 runonce.exe grpconv.exe PID 788 wrote to memory of 1844 788 runonce.exe grpconv.exe PID 3968 wrote to memory of 3448 3968 hidec.exe swreg.exe PID 3968 wrote to memory of 3448 3968 hidec.exe swreg.exe PID 3968 wrote to memory of 3448 3968 hidec.exe swreg.exe PID 1416 wrote to memory of 3556 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3556 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3556 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 5092 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 5092 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 5092 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 3556 wrote to memory of 4692 3556 hidec.exe swreg.exe PID 3556 wrote to memory of 4692 3556 hidec.exe swreg.exe PID 3556 wrote to memory of 4692 3556 hidec.exe swreg.exe PID 1416 wrote to memory of 1460 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 1460 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 1460 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 5092 wrote to memory of 4440 5092 hidec.exe swreg.exe PID 5092 wrote to memory of 4440 5092 hidec.exe swreg.exe PID 5092 wrote to memory of 4440 5092 hidec.exe swreg.exe PID 1460 wrote to memory of 3140 1460 hidec.exe SWXCACLS.cfxxe PID 1460 wrote to memory of 3140 1460 hidec.exe SWXCACLS.cfxxe PID 1460 wrote to memory of 3140 1460 hidec.exe SWXCACLS.cfxxe PID 1416 wrote to memory of 2412 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1416 wrote to memory of 2412 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 1416 wrote to memory of 2412 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe n.pif PID 2412 wrote to memory of 4272 2412 n.pif SWREG.exe PID 2412 wrote to memory of 4272 2412 n.pif SWREG.exe PID 2412 wrote to memory of 4272 2412 n.pif SWREG.exe PID 1416 wrote to memory of 3516 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3516 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 1416 wrote to memory of 3516 1416 23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe hidec.exe PID 3516 wrote to memory of 4768 3516 hidec.exe SWREG.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
PEV.exepev.exepev.exepev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer PEV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\iexplore.exe"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\iexplore.exe"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\pev.exe -k * and { *Antivirus*Pro.exe or svchast.exe or winupdate.exe or or ANTI_files.exe or dbsinit.exe or ?.exe or desot.exe or desote.exe or *sysguard.exe or aap.exe or pump.exe os svcst.exe or seres.exe or *spyware.exe or new.exe or -preg"\d{3,}.exe" }3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\InfDefaultInstall.exe"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\PEV.exe32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWXCACLS.cfxxe32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\hidec.exe"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\SWREG.exe32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exe32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\GSAR.cfxxe32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\nircmd.cfxxe"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"2⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\GSAR.cfxxe32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.execf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd >\Bug.txt 2>&13⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -isq "ProductType.*WinNT" WinNT004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pev.exePEV UZIP License\pv_5_2_2.zip .\4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/.*\t(.:\\[^\\]*)$/!d; s//\1/"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\Software\Swearware" /V LastDir /D "C:\"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\sed.cfxxeSED "/^PATH=/I!d; s///; s/\x22//g" Oripath4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf -s+901 .\OriPath004⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf runonce.exe grpconv.exe procmon.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe4⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNircmd win close class "#32770"4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe }4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKCU\Console_combofixbackup"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 04⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 04⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s//@CHCP.com /" NlsCodePageACP004⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12524⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s///" NlsLanguage004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -isq "09$" NlsLanguageDefault4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY HKLM\Software\Swearware /v combofix_wow4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED "/.* /!d; s/// " CFVersionOld004⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD LOOP 2 80 BEEP 3000 2004⤵
-
C:\32788R22FWJFW\NirCmdC.cfxxeNIRCMDC QBOXCOMTOP "The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE." "" FILLDELETE AbortP4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\Software\Swearware /v combofix_wow /d "09-10-14.09"4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -rtf -md5F33C19A7658BB2B004646C8EC8C9D922 .\md5sum.pif4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV -tf --files:files.pif --c:##5#b#f#4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -vs "^!MD5:" mdCheck00.dat4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fvf md5sum.pif mdCheck0a.dat4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"4⤵
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/^ (aux|midi|mixer|wave)([1-9] | ).*\\/I!d; s/%systemroot%/C:\\Windows/I" temp004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -F \ temp014⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fi "C:\Windows\system32\userinit.exe" Userinit004⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"4⤵
- Modifies WinLogon for persistence
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Users\\Admin\\AppData\\Local\\Temp\\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET004⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\FINDSTR.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\32788R22FWJFW\swxcacls.cfxxeSWXCACLS C:\Windows\system32\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q4⤵
-
C:\Windows\SysWOW64\cmd.execfC:\Windows\system32\cmd.execf /S /D /c" ECHO."C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe""4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Eisq "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$"4⤵
-
C:\32788R22FWJFW\ATTRIB.cfxxeATTRIB +R "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe"4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -isq "\/cfDebug" sfx.cmd4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP "=.*[a-z]" sfx.cmd4⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE4⤵
-
C:\Windows\SysWOW64\cscript.exeCSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs4⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf CSCRIPT.exe PV.*4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fsf AVBlack resident.txt4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fivf AVWhite resident.txt4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -E "^(AV|SP): .*enabled\* \("4⤵
-
C:\32788R22FWJFW\PV.cfxxePV -kf thguard.exe ntvdm.exe teatimer*.exe ad-watch*.exe SZServer.exe StopZilla*.exe userinit.exe procmon.exe txp1atform.exe SonndMan.exe ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
-
C:\32788R22FWJFW\handle.cfxxeHANDLE csrss.exe.mui4⤵
-
C:\32788R22FWJFW\handle64.exeHANDLE csrss.exe.mui5⤵
- Drops file in Drivers directory
- Suspicious behavior: LoadsDriver
-
C:\32788R22FWJFW\sed.cfxxeSED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI004⤵
-
C:\32788R22FWJFW\sed.cfxxeSED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" MUI014⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fx "REGEDIT4" Fin.dat4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -ix "FileName=[-[:alnum:]@.]*" FileName4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -ivx ComboFix DirName004⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Fisqx "23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c" DirName014⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver4⤵
-
C:\32788R22FWJFW\PEV.cfxxePEV UZIP "License\streamtools.zip" License4⤵
-
C:\32788R22FWJFW\grep.cfxxeGREP -Eisq "=.\/u.$" sfx.cmd4⤵
-
C:\32788R22FWJFW\swreg.exeSWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c"4⤵
-
C:\32788R22FWJFW\hidec.exeHIDEC "C:\Windows\system32\CF5295.exe" /F:OFF /D /C C:\Start_.cmd4⤵
-
C:\Windows\SysWOW64\CF5295.exe"C:\Windows\system32\CF5295.exe" /F:OFF /D /C C:\Start_.cmd5⤵
-
C:\32788R22FWJFW\ATTRIB.cfxxeATTRIB -H -S "C:\32788R22FWJFW\*"6⤵
-
C:\Windows\SysWOW64\CF5295.exe"C:\Windows\system32\CF5295.exe" /k c.bat6⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\grep.cfxxeGREP -Fqi ".cfxxe;" temp007⤵
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12527⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\NircmdB.exeNircmdB.exe INFOBOX "Incompatible OS. ComboFix only works for Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"7⤵
-
C:\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c\PV.cfxxePV -kf cmd.exe cmd.execf Nircmd.cfxxe6⤵
-
C:\32788R22FWJFW\NirCmd.cfxxeNIRCMD WAIT 20004⤵
-
C:\32788R22FWJFW\nircmd.cfxxe"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "6.0.6" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\NircmdB.exeNircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\n.pif"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execf"C:\Windows\system32\cmd.execf" /c 32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe -k -r "C:\Users\Admin\AppData\Local\Temp\23fb92919059417d63da18028869fdb717db5e07ad305d9d244246492c67009c.exe" or n.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\32788R22FWJFW\pev.exe32788R22FWJFW\PEV.exe Rimport 32788R22FWJFW\EXE.reg4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.1.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "6.0.6" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.00.2" OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -F "5.2." OsVer4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\grep.cfxxeGREP.cfxxe -sq "currentversion.* 6.0" OsVer004⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RESET /Q4⤵
- Executes dropped EXE
-
C:\32788R22FWJFW\swreg.exeSWREG ACL "hklm\software\microsoft\windows nt\currentversion\windows" /RO:F /RA:F /Q4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\chcp.comCHCP 12524⤵
-
C:\32788R22FWJFW\NircmdB.exeNircmdB.exe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\32788R22FWJFW\GSAR.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\NirCmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\NirCmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\OsVerFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\32788R22FWJFW\OsVerFilesize
104B
MD581107438325dd733bb955160756d8c08
SHA1fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca
SHA25629f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6
SHA512d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed
-
C:\32788R22FWJFW\P.cmdFilesize
15KB
MD5c5cd2aa27fcd9aaa84b947a388d5b146
SHA17b94092bfe4a1990496d019b66aaeecf99bca572
SHA256dcb167624c5e36a3f310dec9700b2c782acbda30bd6d80996d66c20f65fc1ee2
SHA512c296e490be1ad3fedbbb4b820ee463e2c9e8b979a0d1663e38bfd22c4b5785f7aa0257d30122802152107e8e39ef5f0f16aa45e500c9e0c52d36881fe3119f09
-
C:\32788R22FWJFW\Prep.infFilesize
2KB
MD51aa16d0f74468cf739427c823e44f693
SHA1ea83e02989f1427fb0f2f1f5eb23e1e125cd5c78
SHA2568419a839e8e106403e2dc8ae73ef9a627bb894b91a5b39e2ad88e62c9d66dc56
SHA5120a403c320ce88bd7b0dcbfcf71e552d08e070fafefeada050c330f01e50cc542726812026d18b14216be49ca608197630b65f23fc32b89268b8bb86de7c35782
-
C:\32788R22FWJFW\SWXCACLS.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\grep.cfxxeFilesize
78KB
MD59e05a9c264c8a908a8e79450fcbff047
SHA1363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa
-
C:\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\gsar.cfxxeFilesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\iexplore.exeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\n.pifFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\nircmd.cfxxeFilesize
30KB
MD5ae72e8619cb31d84da25e2435e55003c
SHA12ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA5121013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\pev.exeFilesize
231KB
MD53b44e6b3653fabdf876bc2b13c434e62
SHA1521e5e737c2b22ee61165320ea20e6ac596d84e9
SHA25621793f8b54906ebd1dada5bc350bae8399e49409c889bf6dc6294acb13baf797
SHA5129df2acdc1339ea28335a96ba050198fa740b1536830de082c692a6595a4207155863d274fe440fe6b3b62720bc44719a1c854e0aec8bd8ff17adc840a0c3ecb2
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swreg.exeFilesize
158KB
MD501d95a1f8cf13d07cc564aabb36bcc0b
SHA1be229bde90b82d21fe94c67e2b096334e93d78c2
SHA2561eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48
-
C:\32788R22FWJFW\swxcacls.cfxxeFilesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\Windows\SysWOW64\cmd.execfFilesize
231KB
MD529824dce144b6134797729005107ee1f
SHA1d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd
-
C:\\32788R22FWJFW\EXE.regFilesize
13KB
MD5eea590e05f33b10a4872de498e19b47a
SHA17528ff7e2f6f499d5769f9e716d3b2d123015964
SHA256ad056333abd166c63c9b2db588a07e75b834cbdd4fe7a7815bc253782d97cdcf
SHA5124a017b5c45846d9144fb195205452ccd054c24eaef8d721f6bc7e48b6470fb25e9dd72f87e1d382deda4166158467b887a294e5141de9cf134739113a0ed67ec
-
memory/216-261-0x0000000000000000-mapping.dmp
-
memory/452-246-0x0000000000000000-mapping.dmp
-
memory/452-149-0x0000000000000000-mapping.dmp
-
memory/536-207-0x0000000000000000-mapping.dmp
-
memory/668-267-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/668-258-0x0000000000000000-mapping.dmp
-
memory/788-148-0x0000000000000000-mapping.dmp
-
memory/956-182-0x0000000000000000-mapping.dmp
-
memory/1200-263-0x0000000000000000-mapping.dmp
-
memory/1300-212-0x0000000000000000-mapping.dmp
-
memory/1324-203-0x0000000000000000-mapping.dmp
-
memory/1352-266-0x0000000000000000-mapping.dmp
-
memory/1392-224-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/1392-220-0x0000000000000000-mapping.dmp
-
memory/1460-164-0x0000000000000000-mapping.dmp
-
memory/1756-213-0x0000000000000000-mapping.dmp
-
memory/1816-205-0x0000000000000000-mapping.dmp
-
memory/1844-155-0x0000000000000000-mapping.dmp
-
memory/2076-209-0x0000000000000000-mapping.dmp
-
memory/2412-172-0x0000000000000000-mapping.dmp
-
memory/2420-257-0x0000000000000000-mapping.dmp
-
memory/2468-271-0x0000000000910000-0x00000000009D4000-memory.dmpFilesize
784KB
-
memory/2480-200-0x0000000000000000-mapping.dmp
-
memory/2636-245-0x0000000000000000-mapping.dmp
-
memory/2680-231-0x0000000000000000-mapping.dmp
-
memory/2680-234-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/2712-265-0x0000000000000000-mapping.dmp
-
memory/2812-250-0x0000000000000000-mapping.dmp
-
memory/2860-186-0x0000000000000000-mapping.dmp
-
memory/2932-253-0x0000000000000000-mapping.dmp
-
memory/2980-264-0x0000000000000000-mapping.dmp
-
memory/3140-169-0x0000000000000000-mapping.dmp
-
memory/3196-249-0x0000000000000000-mapping.dmp
-
memory/3260-260-0x0000000000000000-mapping.dmp
-
memory/3408-221-0x0000000000000000-mapping.dmp
-
memory/3408-228-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/3448-156-0x0000000000000000-mapping.dmp
-
memory/3516-178-0x0000000000000000-mapping.dmp
-
memory/3556-157-0x0000000000000000-mapping.dmp
-
memory/3632-225-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/3632-218-0x0000000000000000-mapping.dmp
-
memory/3720-177-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/3720-151-0x0000000000000000-mapping.dmp
-
memory/3748-190-0x0000000000000000-mapping.dmp
-
memory/3824-188-0x0000000000000000-mapping.dmp
-
memory/3968-152-0x0000000000000000-mapping.dmp
-
memory/4064-197-0x0000000000000000-mapping.dmp
-
memory/4108-262-0x0000000000000000-mapping.dmp
-
memory/4164-259-0x0000000000000000-mapping.dmp
-
memory/4272-175-0x0000000000000000-mapping.dmp
-
memory/4280-272-0x0000000000910000-0x00000000009D4000-memory.dmpFilesize
784KB
-
memory/4352-270-0x0000000000910000-0x00000000009D4000-memory.dmpFilesize
784KB
-
memory/4376-269-0x0000000000910000-0x00000000009D4000-memory.dmpFilesize
784KB
-
memory/4396-184-0x0000000000000000-mapping.dmp
-
memory/4440-165-0x0000000000000000-mapping.dmp
-
memory/4484-192-0x0000000000000000-mapping.dmp
-
memory/4532-194-0x0000000000000000-mapping.dmp
-
memory/4536-131-0x0000000000000000-mapping.dmp
-
memory/4588-139-0x0000000000000000-mapping.dmp
-
memory/4588-145-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/4596-268-0x0000000000910000-0x00000000009D4000-memory.dmpFilesize
784KB
-
memory/4620-136-0x0000000000000000-mapping.dmp
-
memory/4656-229-0x0000000000000000-mapping.dmp
-
memory/4656-235-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/4676-236-0x0000000000000000-mapping.dmp
-
memory/4692-161-0x0000000000000000-mapping.dmp
-
memory/4724-255-0x0000000000000000-mapping.dmp
-
memory/4736-240-0x0000000000000000-mapping.dmp
-
memory/4760-142-0x0000000000000000-mapping.dmp
-
memory/4768-180-0x0000000000000000-mapping.dmp
-
memory/4780-226-0x0000000000000000-mapping.dmp
-
memory/4780-233-0x0000000000F20000-0x0000000000FE4000-memory.dmpFilesize
784KB
-
memory/4796-256-0x0000000000000000-mapping.dmp
-
memory/4980-242-0x0000000000000000-mapping.dmp
-
memory/5036-211-0x0000000000000000-mapping.dmp
-
memory/5060-134-0x0000000000000000-mapping.dmp
-
memory/5092-160-0x0000000000000000-mapping.dmp
-
memory/5100-147-0x0000000000000000-mapping.dmp