Malware Analysis Report

2024-09-11 03:49

Sample ID 240607-py7ysagb8z
Target CW.eXe
SHA256 60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98

Threat Level: Likely malicious

The file CW.eXe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-07 12:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 12:45

Reported

2024-06-07 12:57

Platform

win7-20240221-en

Max time kernel

399s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CW.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CW.exe

"C:\Users\Admin\AppData\Local\Temp\CW.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\CW.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C hosts.exe /i

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original a64_original

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original b64_original

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched a64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\slmgr.vbs t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\slmgr.vbs t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\slmgr.vbs t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\slmgr.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\slmgr.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\sppcomapi.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\sppcomapi.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\sppcomapi.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\sppcomapi.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\sppcomapi.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\systemcpl.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\systemcpl.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\systemcpl.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\systemcpl.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\systemcpl.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\user32.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\user32.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\user32.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\user32.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1027806045-2690456651252586381163697241630859394-13607682131520768232-1188737765"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\user32.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\winver.exe t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\winver.exe t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\winver.exe t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\winver.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "297450781887602129573624308-1427962038-834545169-754192537-6018791481268915455"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\winver.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1728178538-590888112704896703495852758-571819470-140698159620727636582039652409"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\winver.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1227900763-963484108-8969537501216867504104891019115047018667875128-1580160225"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\winver.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\winver.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1353747187153117796119202222213116198076068217671592377799-19832673271558578820"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-659053242-5452977601168243848-1084212549-167001578-114215722120751667111370144353"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\winver.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sfc.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sfc.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10717665341912388070-14234139162029839837-723106837-1004642981-911369922-1193784943"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sfc.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\mainicon.ico

MD5 31aca1a1047efbc8d2a6e22101b2227b
SHA1 7f0500f0dd7b33f13efcef891700d17306762e02
SHA256 a9eaafa2c8e36bb80f58d5930694676d76dab647b8f709f3142649bb8018fbfa
SHA512 190dd9471fdc93e9eeb8dede79f3b9f1a67c3ff62e5733f51ddf03130790ae0e409da92d46c8e616c35bcd5dbc9d2139c95452843f8a8a4ba8b4d70d1e43427a

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 6ed1ff22271e42f1b1b794fcf013c792
SHA1 bedfc9238562d8f060aa8ba2dd611fb0bd69028c
SHA256 3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9
SHA512 0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 1c42c49a03f8416736f243907b1c8c0a
SHA1 64a6bc73c97b85c35813d7c3386753e0c8fd7e63
SHA256 6f9a4a22186afb4efd48689fe9dad4a1cf1cfd6f2706d3411c8f5d83607e0ba9
SHA512 6385706f690fa75267af441fc614a3971e4a7e5dab08de76e6a2773f5a4284bfb13e9c08595fc9b3dc39672f74ec1af26c79581df0cf9eb45b8ddb2785f22026

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns

MD5 6a9b0ab9341ac4204aafc7fac9872962
SHA1 dc6ceafcb39b7329552d0883f2c3284dddbb0ddc
SHA256 6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2
SHA512 76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\chew.enc

MD5 12a32fa128964e6a70b7ead729bfd933
SHA1 af5ae624d8f1aba5b1c651d6435fdaaadb475d3f
SHA256 a7bec382f29d784338e0130bf180a2387454be59ce8bf198f43fe9655cc473d7
SHA512 a335e01ca8ada8b7ae15dd9405409266a01a8e597f556c8cb316c35366a0a4e3f8cadd048108f0cb713d51ccb08d0845298fc56858f9300c21f5422c1fb8ee01

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\main-screen.jpg

MD5 16ace5798f3499d9685197740cd00735
SHA1 5a5d4765b3d2046cd1d4fcc714e77d188b8e52ab
SHA256 0c88a592cb5448d2131a15f208580365cf383a2445ed60ca55987f42ecc4ce11
SHA512 f5e7f3bdba6aa633bb28991c5dc9ce0e9a010ca133165417ff81c48d6cacd87d89b93533176311a60823d8d98c13bd4134ce1bcd0f90f644092779cf47aa14e0

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn

MD5 9ecb9fcfdcb46a87ec244cfe23659e0e
SHA1 b389705b9cc52e7e12a0f7f68a4f6922ea9db107
SHA256 3ff2c5e7c1b7471d41d64bd39b2d8e2df3761408c0b235ce8ccbb3d39417466f
SHA512 12a61f1cdff7faf5fe40fd83d2cbb4ef17554be2b2ead82162d685a3b492f7149bfb82b8c65a5d20e061a287140c5350923c0adab9fc7e47a7c98f3fdead8498

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Home2.Btn

MD5 1c85362b0780dfb2f580e567ad57643a
SHA1 c1ca2efb091d5540c8d300a00420fb3060874e61
SHA256 70919d158d55ba3a9c38bbe91c79bc69452e67fe7862aa00fe77df56a7dde4e7
SHA512 57d643adeb7ae8409312a0b8ac1b4774d51543f31ee4f1ea27a57fb34521d21d3590e23d8470d03967aff137117c8ace46b8a20adc6e65c1a411f70dbfd85690

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\genuine-chew.jpg

MD5 2e2ac2c68ef9ed0e14108208dc6880bb
SHA1 15bed281564c4ae5d59c8e8d7691b63ba253448b
SHA256 510acf5a6ce7e9570a591a48951161341de4f1da13e0117ab4aa6832e5bddb97
SHA512 ee40b725211ec3001154c7484de7ce78df7a885fef6ba09585cad7281b4b08acb60459856d8c3b1684adceef643995f2cf708212183ca2ddb7f231713306590c

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik11.Btn

MD5 eb199b1cb2087cadf5dd4d7b06db4f62
SHA1 2033bed8c8de0805e8fdbebadfd710e42fbe1a68
SHA256 b99136b165304979e84e98930ea5fee03508b8967acf6b82844b96863d916b15
SHA512 a133b9d14143b0d67f876b19f22fcf7d72352872352d7c5dd8a9ae05551e9350c5ede194416a0802816dd4c82418679c52b3ae578bf0f63e446ea868f8a9d387

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg

MD5 93270c4fa492e4e4edee872a2b961dde
SHA1 7b3c079d55d00aa5390662f0a2059e60546ed003
SHA256 25d49cbbd65d48ad462455f1143f73ee997df8f747e7d2213daab18e321c028b
SHA512 3d12721eb229d9227efc51c8e93d5f3ff6cabc305b643b764fcd6da76c031db4c8218b76b1f6158891995f23ce323c13826f59477924361cfb0dee2b9f94fb42

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\wait-install.jpg

MD5 e9e643548d3f92376e0becea1b79d731
SHA1 a273f8456c05003220494d8cf49f631408b07cdf
SHA256 68e008a39348d54344d4c4213fea395f710b078c6a5fa5fd493c08acd8ed0c78
SHA512 c4d7f083bec2b5341f866511e4f7d258c3bd6d4f4f5404bf7e2b68ffbe5d0b33ad0d5de4db2c0fd2201ebbbd45927ad1af132431f184e9c0277982659db863a2

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 5fa434ec8af8916370b765dec86852bd
SHA1 4e926f229b73d58f743101cbd7b2dd4793200eb5
SHA256 9d93b830e5fddb9ae865ad13d542e604a13b07687163841251cb083f0ffe2786
SHA512 229715259889d0caf20bfd11aa89a3c6dd1951f6b1d836445b114765db3c8381fe42930f06e5da5c08b035e11c92fd1abf3f21d92ee8cae957024ab17776ce28

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 ab6d9eff87e10aba6e3a05c06a69788d
SHA1 80634778fbe8666c80408ae2f11124884a3eeb56
SHA256 f904e7c681420cd9af688fed942c10ddeceb6bb9ec9aea0309c59211672a624e
SHA512 7477d43ae329188f47a47fd9dbcbe8e9c44cfed82d6a2e3c622d0a7f2b885eb3981f621b34a45fec146bbf912f0347311a49974720fb8690c2159e1bc4584a6e

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 1f10fe4a2a04bbfa953653dad216402b
SHA1 4bd2575d84834ceaa8aea9e3872af33a79045015
SHA256 9f56fe2732fbd5d2d619aa6a6938834de9cb5ef86c5142252ed99c793328663b
SHA512 e8a2e17d8c41b521873190eabbffe0db059bec27b09e5c0e02a7c6e44feca8a94b1cec3f344ec9335b50737ba15e698e79f9962d52764402d3b5c79a94561844

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 50e83a566229e0c51b61a7c31cabe41e
SHA1 4193c82e06a85de317328afb68d4c57be03350f6
SHA256 f8abc96fc377d5ae46cc352c84f940610ac841096ca2aae050efb202fa005dfd
SHA512 19a35a21d846e0f0d4b75d4e9987829e4eb1949241aa4bf9ce923971fd21e0b6f7c4d402e761cb553cb7a4b1af0f8d809b8b98bfbd099d50fa8f3016574feaa6

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 a2b3bd1bbfda5d3c4b2dfda19957ea96
SHA1 1770c8b61fa910bc0721b14acc96208ad41a6078
SHA256 4a337763ffd81164b39dc86d520a06bae8f8cb83a2d86f3ec074c95d6f8352cd
SHA512 4b466809903eb4f0a138d8b96f4747c0e24ac5c713c4ba69a5d35fdb1179cacd8561d8d1aa68badaa945b439953f995c12d7375e2035cc8ba422e7edd18c73a4

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 ebeab477f4ce465dc3879842359b1fd8
SHA1 e7d65f5deb653455ee715e6dd1908d478227b814
SHA256 cb487a227dc63c924e27e7fe8777f7bbef2c504b5b23153b89a99f434e432cec
SHA512 bfa149aca3557e4bb931161bba58ee089b2b699e9a87fa1d3b275af059d83cc4cd909583258b82b135fef856d2ba70588b3b753b789bebf6d38ffc9bb2f79976

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 e0b7c606005ddad0b2d5b5276a55774e
SHA1 66c43c4e60c7360d8d8e96a3476b5df536f0d1c1
SHA256 53045f921bedb17c5bac26a4e12376debaf271d7b9f08a4b7c517e17453b7979
SHA512 3d8ad69e87311d449d0d751ebaad8cc0bbbc5bf833fae21d2a0ca6dcc5d95aaaa073b15db8a2dc012468e199c49afa9ff2b164a5d7382ba9d581a1665f3c3b0d

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 3314ed8b1050eab625d52b2730cf064d
SHA1 43785553d0251f60cd6c2d1d396e8eba0b8e83fd
SHA256 8a0dfcad11407f3213d43636183a893b41011ec3f9fb664f937a80ba00b0e730
SHA512 980c568d5d29fb72ad45d06aa6a41fb74484cdd1ff59cd263d39451e59114ea036d0b34c2c17df6384628d203f63cadebe4ba6a592579b3989ea77035ca67bfc

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 3816e27de00255d806964e0542a61c58
SHA1 06792ad4c095c5cc3ed63d5a25ae387d8802db12
SHA256 d4a57ea881e945b473f30514ac88fdc6f101946bb16064fbbdae8c8d4f0f1315
SHA512 7a0af868bb158abb5d03fcdb3f7c7f65767554a2e7b8908486b1660dabe7d2b81563a0e736f53f4087d2966860937471c44ff4d34097fb3ed13b8064b78e1b08

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 75034b8aea9a0c0b361af3fac588586d
SHA1 1102ac8578a8938af69d09aec2d8be63c4bc7b0d
SHA256 702300fb530e253806c4f1366f43c7a6541a656dbdb2d4aa5629487add5a9225
SHA512 de1b6ae2e086d8d9182cf279274648d41d29316191da4b025a4624d676b23b57f25d7b55277d347706821008e585f1315639010b56d3110f92c15963f31931a7

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t1.txt

MD5 500cf1681dda5a94296d684421ce1329
SHA1 8d117d0dfb98c5b9a18eece31d52be17dc4faddf
SHA256 c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0
SHA512 4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 2604a551392e0ad9b9dfff59aa67fff3
SHA1 c59eea9aa1c2fbeb32f9e9cadb5ebec7d20cf30a
SHA256 d863aaec45284a57d2fcd2c8bb0e61579d47debdb660e2cdfe27b3986f97a89c
SHA512 bb411908692d4d9bade4430f01937fddcd57e58c3702edc47d7fc5a7e18f3ce0902ec40d5b966521afe1dd77fdeb39d0660d277975b6e3e712a995dc4a2deac0

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 1d9250f82ec5c5df4758eb30ee12a80a
SHA1 32faf2f750fbf1fff8d26675b41574a4912a1f6c
SHA256 085952fdefba04d9bab4c3058ad4882194bf8e5241f805992e529c46008ba400
SHA512 773971e6738fc0ee24711cbc2b92e7a5914be9727fd0302ba1eeab9ac5a63ada4aa6d05215a60c3da9d77338943f9ad19aabcf822518d7f1bdd033548d9d543c

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched

MD5 4ee1f86f0380ee6f57c5283d945861ea
SHA1 3a2fb4421b35cd7fe7e133da4160e4b1995ff55d
SHA256 8c64b02a9fd13c870085f72f70524f119e5b3192a9fe2112b0dd4a565b942416
SHA512 f43f70827ec03517e0cc177fc709876612ba0a4055a83893ff6f920d72222ad9c23e1cb962666eef844e9c919d9dc7c6dc295a6938297aae3e24e8f353ec0506

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 6e62eaf8a35ae3801ce0554fb140a84a
SHA1 ba1f56c430a222e753cd1f5322136f8726247cf3
SHA256 b9fa2d3bf26702806fc394521e57c9d65825ee40923a663af5e8b568646d1f11
SHA512 6628fc3f5b6ec82d54b1dcd1f2dfc32744d57e9a88a6ffeb571730016eb52675db208b9d350c251df1e235e0da23893b7b2697bde03ca38e1aec3498544400d3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_patched

MD5 82e679d6a609830a09b2fb6511b543d5
SHA1 6072ac3deb1cadb02977533bb31aee96815e6a2c
SHA256 44b83f38059ad417a580050266adb572bff501ad959df42b8d9cd318c5029870
SHA512 08ed010b16a9e8e34ddf336f8129cb73aa4e474dd336777a2d5172875e71b0d8f8ab54fda4638b7e2f668c4c11db024c824a81b499fed513fd8f1a73ca261d43

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 2a6cdfcac99775cf627baa0c492822b1
SHA1 31f342298c7c5d2670b1e4245aba10d9d9a03722
SHA256 2650008d81826d69558bed947b98e7e2767eefcaa136b7b3fabf9fb7897532f0
SHA512 556bd12254469941b09ee58f9e8643b1cf37d8f0c1699a7960ac93c9fedd835f6a8d51d530a90f2f3db2677aa2887c63b19b8a5f2be751c7e4a5e95452d24708

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched

MD5 8626f0c30d4e3564ffdd25c90f4426f1
SHA1 a42a6b0af9f6b6cc92ade441f13d8eb54405b75a
SHA256 48095e57661edf47e44f8315dbe6372757449493a84e0166d69051299e1873f6
SHA512 d949f703875e8403eed0dc6eea573b8ef61f43d7d06a9cc2edd4d74f2e019eaaad40c8d7040db0f0870da124a7fa4471c0258b8af704e9900eac93e5eac27a0b

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_patched

MD5 2c9cc9f492ca596b1b9fc1ae5e916356
SHA1 553a6b184f2c4f77a2483daf9ea027e4e35a1516
SHA256 267377ea0e565b378ee37cf862654cc8717a8d54fccee7ae8110e95981d2c418
SHA512 fb2704402a338e9784ea6754ecb8efeb4334e834682d7af5ecc8a632d1dfd434bb2237398620d46573c28332cb0b62004e3a4cb8ff79da6c6e71c8c0cb63405a

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 e573bd9ab55c8e333c202b9e255f972e
SHA1 460bde795885134b48465dc73797db695af33e1f
SHA256 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e
SHA512 bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\install-error.jpg

MD5 68ec09592f71a542470246c5522d4636
SHA1 61d2c3b7621c0c77fd91f7e6dacecd25bd49d69e
SHA256 d15a87cb382ddf6efea8cad0ac82fd3ee72db4f775ba4d22ca7bea9cdba20960
SHA512 d7d0da635faad6a2e56eadbaa1d83fb466e450bb69b37b67a08980da63393493b8fa6b48bcb6fbb1ce4512f7af17f4e5dd58654b3e8f9af79ca649b60cc62f5d

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c5.enc

MD5 a39e341d6a68ea661b9eb5e7707edf37
SHA1 521d8bd813225a750324e215fb73146ffcb3f1f4
SHA256 02c7096dd821d2fdffd7263e7adf62efc4a41584ee3c35d409999a317457ad5e
SHA512 0212e53116f0e1ec18a4acd1e89cee39fb56ccfe1aed3e0366e716a43b2dfc4a3b0108672f41570eab2b17763c7b1e7ff3d8bffc7cb259d60d6f719e2a70bf70

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c4.enc

MD5 9edf4f042ffb616d2d139b3e36000cf2
SHA1 79c988f96a635803951dbed0bdc257206380bc8f
SHA256 4ab24958c0986641bdfbbfd5df57a0f8f354e6a8f88f33b09bd6d9d9ae934df3
SHA512 2a42391ffc1bcc8622a56f7564958270986493eaa8d679e5dd96a333bd2a4b210f3bfba975cada8dc5bec4bee37c0a061d741abc47451eff81704d6870cce347

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c3.enc

MD5 823903ea3ea1ce97ebed801e6306f08d
SHA1 e4bdee37c87fa4f89136f04de807c0ab68610b6b
SHA256 743e073e703800d853028da31eb19e69922bddffa00d4c207e31c173754d9e83
SHA512 d930d773902d2681760afec5ee979f6f38976635087a4f7d0e99e791b8880cc822cdb858510dc42f013693363336605ea962e95dcc9caae3620955a6cd2a9349

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c2.enc

MD5 b3e970d171604bdef71809e63df44ff2
SHA1 a32858da162478b94e0cf1ff0dd4a821d859e69f
SHA256 b64bbed7e4d8a544261555a37ec2df1445ca4c38f0f49e9618f16f80d48ddf4b
SHA512 8b937a81fcbb99619f11bb13b888459c8bc68981bc01301aeeec204216592a3eea9de7619212c79e002580d41b4d2fbe1741e649940ac0b26d5e44ad600118cb

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c1.enc

MD5 5d280b2b82ebdbb4bad1b316f4b9b7cc
SHA1 7ca1173bf828c1bd78fb151bac7de7c2d9d867ed
SHA256 6eca38bc2c7d230d3e3b79ec49be46e553d6abd287c7c9b05571658460d2b6cd
SHA512 6a2b67aec6c274010de351ebef717eb64867b4b75859025eb489e2f95be8fff732314ffece5dae0e496cbf870f5cf25931748b0e832bfea41c83220841de5460

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c0.enc

MD5 97b53e8a8394f391b866fe0764681537
SHA1 a3e2117b6d1c4e6dae48363212768889a0a3a3e3
SHA256 ff9a5928782f0496d8d350bc047ba2f4d61c87492c303c9b805ee3686eae064e
SHA512 53315dfb3f9c27aed07564bee8e5441c276162d117fd438d96961dd02e39488930dcff9cf9d3e34fd92d36e3a18c44386a00e261a756a534a543cf62fc979af0

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_original

MD5 e01ebe6a0c7b306763667fdc60a0b25a
SHA1 87c4c3a7def1f3f98a8d4b0c4b46f10e2b6ed8ac
SHA256 3f388e6a575516b53f240569636ddb3d86c5123d28ae43e0c5b49b8c2e10e0bd
SHA512 6e1767724d65e81f69a48ee58201a9fae22945b353bebe7a087292340a280d6a721e37acbd2e441abf630bd73d2e507327adff6a1b25fd62593ba79209557fdf