Analysis Overview
SHA256
cfc93766552ba4240ee547666e583553bfe0ef5f3e13fe4a4aa2e116587db359
Threat Level: Likely malicious
The file 11d70692f4951c285da09737464c9eb3_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Nirsoft
Disables RegEdit via registry modification
Event Triggered Execution: Image File Execution Options Injection
Impair Defenses: Safe Mode Boot
UPX packed file
Loads dropped DLL
Modifies system executable filetype association
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Checks processor information in registry
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 11:28
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 11:27
Reported
2024-06-26 11:30
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\PEV.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TAIL.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zip.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETPATH.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SF.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MTEE.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moveex.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CTFMON.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expand.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setpath.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWREG.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HIDEC.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HANDLE.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LISTDLLS.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\listdlls.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ERUNT.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LISTDLLS.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REG.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGT.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWREG.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CHCP.COM | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SED.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZIP.CFXXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdsv.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDSTR.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Combo-Fix.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MTEE.CFXXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FDSV.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\32788R22FWJFW\pev.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\PEV.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX | C:\32788R22FWJFW\pev.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\PEV.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.com | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" | C:\32788R22FWJFW\PEV.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\32788R22FWJFW\License\iexplore.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\32788R22FWJFW\pev.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\SWXCACLS.cfxxe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\pev.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Tool"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Central"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security essentials"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close class consolewindowclass
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" exec hide 32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\License\iexplore.exe
32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\pev.exe
32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf
C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"
C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
C:\32788R22FWJFW\SWXCACLS.cfxxe
32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\cmd.cfxxe
"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.1.7600" OsVer
C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -is "currentversion.* 6.[01]" OsVer00
C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService
C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD.cfxxe WIN CLOSE CLASS "#32770"
C:\32788R22FWJFW\NirCmd.cfxxe
NIRCMD.cfxxe KILLPROCESS "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\swreg.exe
SWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -isq "ProductType.*WinNT" WinNT00
C:\32788R22FWJFW\pev.exe
PEV PLIST
C:\32788R22FWJFW\grep.cfxxe
GREP -Fis "C:\Windows\system32\csrss.exe"
C:\32788R22FWJFW\SWREG.cfxxe
SWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q
C:\32788R22FWJFW\SWREG.cfxxe
SWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q
C:\Windows\SysWOW64\chcp.com
CHCP 1252
C:\32788R22FWJFW\NirCmd.cfxxe
Nircmd.cfxxe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
C:\32788R22FWJFW\cmd.cfxxe
"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
Network
Files
memory/1084-0-0x0000000000400000-0x0000000000428000-memory.dmp
C:\32788R22FWJFW\n.pif
| MD5 | ae72e8619cb31d84da25e2435e55003c |
| SHA1 | 2ed893a9aa82da248b5f4344819fcf6ad2d28240 |
| SHA256 | eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24 |
| SHA512 | 1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982 |
memory/1084-343-0x0000000002140000-0x0000000002154000-memory.dmp
memory/1084-342-0x0000000002140000-0x0000000002154000-memory.dmp
memory/2880-354-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-352-0x0000000002150000-0x0000000002164000-memory.dmp
memory/1084-348-0x0000000002150000-0x0000000002164000-memory.dmp
memory/2880-346-0x0000000000400000-0x0000000000414000-memory.dmp
memory/708-368-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-365-0x0000000002150000-0x0000000002164000-memory.dmp
memory/1084-364-0x0000000002150000-0x0000000002164000-memory.dmp
memory/708-363-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-375-0x0000000002150000-0x0000000002164000-memory.dmp
memory/1084-378-0x0000000002150000-0x0000000002164000-memory.dmp
memory/1084-399-0x0000000002150000-0x0000000002164000-memory.dmp
memory/2404-398-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-405-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1084-411-0x0000000002140000-0x0000000002154000-memory.dmp
memory/1084-410-0x0000000002140000-0x0000000002154000-memory.dmp
C:\32788R22FWJFW\License\iexplore.exe
| MD5 | f1fba6185a6a2bc6456970914875078e |
| SHA1 | a3a0da9b072ad4ceab9aec41af71a730d9b44744 |
| SHA256 | deaaab3b825ebadb6395e0be7671f96fd30ca8f76159b53c2d11da5c2ca7b7d0 |
| SHA512 | 45cd68a2465d5aa24a693f5bdec9999fee1117e4329d4ae2e1d51a923d42d717e1d09eff9f9e11f3282ebc32422640028d64bf108f9d3d9c49bcd1df6b14212a |
memory/1084-423-0x0000000002150000-0x0000000002152000-memory.dmp
memory/3016-422-0x0000000000230000-0x0000000000301000-memory.dmp
memory/1084-421-0x0000000002150000-0x0000000002152000-memory.dmp
C:\32788R22FWJFW\hidec.exe
| MD5 | abc6379205de2618851c4fcbf72112eb |
| SHA1 | 1ed7b1e965eab56f55efda975f9f7ade95337267 |
| SHA256 | 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f |
| SHA512 | 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1 |
memory/3052-428-0x0000000000400000-0x0000000000402000-memory.dmp
memory/3052-431-0x0000000000320000-0x00000000003F1000-memory.dmp
memory/1108-433-0x0000000000BF0000-0x0000000000CC1000-memory.dmp
memory/1984-427-0x0000000000FB0000-0x0000000001081000-memory.dmp
memory/1984-437-0x0000000000FB0000-0x0000000001081000-memory.dmp
C:\\32788R22FWJFW\License\UnxUtilsDist.pif
| MD5 | 50bf4c2f676d9f72739a3056f539c25b |
| SHA1 | 4343d7c0b00d433a278f455373df24e31110f13b |
| SHA256 | cd13768a6e28bbebb7c11458965703a98df6c3722955f392ddbd555adf0ddd41 |
| SHA512 | dcdcede9fe9f282d77aa19008d7343ea793a66d152835cc86f133b9ff2b6490ce976c3abdb3538b0deff2db388b949937ed364ffe5f076a74d76cc743d9e2e28 |
memory/1108-439-0x0000000000BF0000-0x0000000000CC1000-memory.dmp
memory/1084-447-0x0000000003610000-0x0000000003624000-memory.dmp
C:\32788R22FWJFW\Prep.inf
| MD5 | f03267eaf036d409ef5a4be5d52fce0c |
| SHA1 | 6e3b554805deae14ef3d20b028608d5597b742b7 |
| SHA256 | 6ac8ee793e2013b772c2ef5a93fafb27b058fff675a5ed5f29d4062775050aff |
| SHA512 | 9067c87977c6a89c4389add25235b58c828dcc0c0c88f85b5f7bc6f33913c21e4a0dbf1b659409354df9266e8f0dd6a30a34a062444f35ee1aa9b6be7fb35ebc |
memory/2536-450-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2528-460-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1588-466-0x0000000001170000-0x0000000001241000-memory.dmp
memory/2528-465-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2528-464-0x0000000000420000-0x00000000004F1000-memory.dmp
C:\\32788R22FWJFW\EXE.reg
| MD5 | 36cc97e6ad2062cf6ec87112f93a966b |
| SHA1 | fa69d6fb867dd576c98c8f58f4ea088be99bb4b3 |
| SHA256 | 053e62b47466216370865e22e0459ac32abc21b8265d2666dfd253996145741b |
| SHA512 | 7ae97e3ea54720856731ce85c46d67a160080aea8fbca21f5fb13a7a8ec81a164d313865aed4a1db23e2d3539ba97d8ca0fbfb21f5f95a6afe7e4c044d3c8135 |
memory/1588-469-0x0000000001170000-0x0000000001241000-memory.dmp
memory/2008-516-0x0000000000400000-0x0000000000402000-memory.dmp
\32788R22FWJFW\swreg.exe
| MD5 | 01d95a1f8cf13d07cc564aabb36bcc0b |
| SHA1 | be229bde90b82d21fe94c67e2b096334e93d78c2 |
| SHA256 | 1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3 |
| SHA512 | 342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48 |
memory/1084-515-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1084-509-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1968-524-0x0000000000400000-0x000000000048B000-memory.dmp
C:\32788R22FWJFW\swxcacls.cfxxe
| MD5 | b1a9cf0b6f80611d31987c247ec630b4 |
| SHA1 | 7299b3c370254e1e4bade26dc5fec818989d836a |
| SHA256 | 933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef |
| SHA512 | 152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1 |
memory/1260-527-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/1084-514-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1084-513-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1084-512-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1260-511-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/988-530-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2300-529-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2340-532-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1968-534-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1248-536-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1084-546-0x0000000003610000-0x0000000003624000-memory.dmp
memory/1084-545-0x0000000003610000-0x0000000003612000-memory.dmp
memory/1612-549-0x0000000000400000-0x000000000048B000-memory.dmp
memory/704-550-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2292-559-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1084-560-0x0000000003610000-0x0000000003624000-memory.dmp
memory/1756-561-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1084-573-0x0000000003610000-0x0000000003624000-memory.dmp
memory/2384-578-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2384-580-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1084-590-0x0000000003610000-0x0000000003624000-memory.dmp
memory/1084-598-0x0000000003610000-0x0000000003624000-memory.dmp
memory/1084-603-0x0000000003610000-0x0000000003624000-memory.dmp
memory/2184-605-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/2184-607-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/2740-609-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2512-610-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2660-611-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2864-612-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1084-613-0x0000000003610000-0x0000000003624000-memory.dmp
memory/2492-616-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2484-620-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2484-619-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2380-623-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2320-626-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2356-627-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2608-629-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2936-636-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/2936-638-0x00000000011E0000-0x00000000012B1000-memory.dmp
memory/2908-637-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1560-641-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1560-642-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1544-644-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1544-646-0x0000000000400000-0x000000000048B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 11:27
Reported
2024-06-26 11:30
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" | C:\32788R22FWJFW\PEV.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regt.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBO-FIX.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zip.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\listdlls.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETPATH.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ATTRIB.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mtee.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extract.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erunt.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\grep.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWXCACLS.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XCOPY.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mtee.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erunt.cfxxe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CATCHME.CFXXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catchme.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERUNT.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sed.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MOVEEX.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERDNT.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Combo-Fix.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcopy.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.com | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.EXE | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FINDSTR.EXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGT.CFXXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.CFXXE | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe | C:\32788R22FWJFW\pev.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\32788R22FWJFW\n.pif | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart | C:\32788R22FWJFW\PEV.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\32788R22FWJFW\PEV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX | C:\32788R22FWJFW\pev.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" | C:\32788R22FWJFW\PEV.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.com | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" | C:\32788R22FWJFW\pev.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\PEV.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\32788R22FWJFW\pev.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" | C:\Windows\SysWOW64\InfDefaultInstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pif | C:\32788R22FWJFW\PEV.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\32788R22FWJFW\pev.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\32788R22FWJFW\License\iexplore.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\SWXCACLS.cfxxe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\32788R22FWJFW\swreg.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\PEV.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\pev.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\32788R22FWJFW\PEV.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Tool"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Central"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security essentials"
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" win close class consolewindowclass
C:\32788R22FWJFW\iexplore.exe
"C:\32788R22FWJFW\iexplore.exe" exec hide 32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\License\iexplore.exe
32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\pev.exe
32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf
C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"
C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
C:\32788R22FWJFW\PEV.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
C:\32788R22FWJFW\SWXCACLS.cfxxe
32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\hidec.exe
"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
C:\32788R22FWJFW\SWREG.exe
32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr
C:\32788R22FWJFW\swreg.exe
32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\GSAR.cfxxe
32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\nircmd.cfxxe
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\cmd.cfxxe
"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\pev.exe
32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.1.2" OsVer
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.0.6" OsVer
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "6.1.7600" OsVer
C:\32788R22FWJFW\swreg.exe
SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -is "currentversion.* 6.[01]" OsVer00
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.00.2" OsVer
C:\32788R22FWJFW\grep.cfxxe
GREP.cfxxe -F "5.2." OsVer
C:\Windows\SysWOW64\chcp.com
CHCP 1252
C:\32788R22FWJFW\NirCmd.cfxxe
Nircmd.cfxxe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"
C:\32788R22FWJFW\n.pif
"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\cmd.cfxxe
"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
C:\32788R22FWJFW\cmd.cfxxe
"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/400-0-0x0000000000400000-0x0000000000428000-memory.dmp
C:\32788R22FWJFW\n.pif
| MD5 | ae72e8619cb31d84da25e2435e55003c |
| SHA1 | 2ed893a9aa82da248b5f4344819fcf6ad2d28240 |
| SHA256 | eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24 |
| SHA512 | 1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982 |
memory/1512-352-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1860-356-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4304-358-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1512-355-0x0000000000400000-0x0000000000414000-memory.dmp
C:\32788R22FWJFW\hidec.exe
| MD5 | abc6379205de2618851c4fcbf72112eb |
| SHA1 | 1ed7b1e965eab56f55efda975f9f7ade95337267 |
| SHA256 | 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f |
| SHA512 | 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1 |
memory/5072-377-0x0000000000400000-0x0000000000402000-memory.dmp
memory/4840-378-0x0000000000E10000-0x0000000000EE1000-memory.dmp
C:\32788R22FWJFW\pev.exe
| MD5 | f1fba6185a6a2bc6456970914875078e |
| SHA1 | a3a0da9b072ad4ceab9aec41af71a730d9b44744 |
| SHA256 | deaaab3b825ebadb6395e0be7671f96fd30ca8f76159b53c2d11da5c2ca7b7d0 |
| SHA512 | 45cd68a2465d5aa24a693f5bdec9999fee1117e4329d4ae2e1d51a923d42d717e1d09eff9f9e11f3282ebc32422640028d64bf108f9d3d9c49bcd1df6b14212a |
memory/2496-381-0x0000000000F40000-0x0000000001011000-memory.dmp
C:\\32788R22FWJFW\License\UnxUtilsDist.pif
| MD5 | 50bf4c2f676d9f72739a3056f539c25b |
| SHA1 | 4343d7c0b00d433a278f455373df24e31110f13b |
| SHA256 | cd13768a6e28bbebb7c11458965703a98df6c3722955f392ddbd555adf0ddd41 |
| SHA512 | dcdcede9fe9f282d77aa19008d7343ea793a66d152835cc86f133b9ff2b6490ce976c3abdb3538b0deff2db388b949937ed364ffe5f076a74d76cc743d9e2e28 |
memory/2496-389-0x0000000000F40000-0x0000000001011000-memory.dmp
memory/4840-390-0x0000000000E10000-0x0000000000EE1000-memory.dmp
C:\32788R22FWJFW\Prep.inf
| MD5 | f03267eaf036d409ef5a4be5d52fce0c |
| SHA1 | 6e3b554805deae14ef3d20b028608d5597b742b7 |
| SHA256 | 6ac8ee793e2013b772c2ef5a93fafb27b058fff675a5ed5f29d4062775050aff |
| SHA512 | 9067c87977c6a89c4389add25235b58c828dcc0c0c88f85b5f7bc6f33913c21e4a0dbf1b659409354df9266e8f0dd6a30a34a062444f35ee1aa9b6be7fb35ebc |
C:\\32788R22FWJFW\EXE.reg
| MD5 | 36cc97e6ad2062cf6ec87112f93a966b |
| SHA1 | fa69d6fb867dd576c98c8f58f4ea088be99bb4b3 |
| SHA256 | 053e62b47466216370865e22e0459ac32abc21b8265d2666dfd253996145741b |
| SHA512 | 7ae97e3ea54720856731ce85c46d67a160080aea8fbca21f5fb13a7a8ec81a164d313865aed4a1db23e2d3539ba97d8ca0fbfb21f5f95a6afe7e4c044d3c8135 |
memory/992-401-0x0000000000F40000-0x0000000001011000-memory.dmp
C:\32788R22FWJFW\swreg.exe
| MD5 | 01d95a1f8cf13d07cc564aabb36bcc0b |
| SHA1 | be229bde90b82d21fe94c67e2b096334e93d78c2 |
| SHA256 | 1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3 |
| SHA512 | 342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48 |
memory/548-415-0x0000000000400000-0x000000000048B000-memory.dmp
C:\32788R22FWJFW\swxcacls.cfxxe
| MD5 | b1a9cf0b6f80611d31987c247ec630b4 |
| SHA1 | 7299b3c370254e1e4bade26dc5fec818989d836a |
| SHA256 | 933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef |
| SHA512 | 152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1 |
memory/400-414-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4016-425-0x0000000000F40000-0x0000000001011000-memory.dmp
memory/2844-426-0x0000000000400000-0x000000000043E000-memory.dmp
memory/548-428-0x0000000000400000-0x000000000048B000-memory.dmp
memory/3380-430-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2076-432-0x0000000000400000-0x000000000048B000-memory.dmp
memory/828-433-0x0000000000400000-0x000000000048B000-memory.dmp
memory/1108-440-0x0000000000400000-0x000000000048B000-memory.dmp
memory/3976-441-0x0000000000400000-0x000000000048B000-memory.dmp
memory/4980-446-0x0000000000400000-0x000000000048B000-memory.dmp
memory/528-457-0x0000000000400000-0x000000000048B000-memory.dmp
C:\32788R22FWJFW\gsar.cfxxe
| MD5 | d6a005f8facff88e260688ddb7ae00c1 |
| SHA1 | 4e22c7a9fc89587addc4d5ddab71199e08ea5b50 |
| SHA256 | 0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49 |
| SHA512 | 7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7 |
C:\\32788R22FWJFW\cmd.cfxxe
| MD5 | 29824dce144b6134797729005107ee1f |
| SHA1 | d0bb9999154b87c32658b55c5c3bc2c5cbe156b6 |
| SHA256 | bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5 |
| SHA512 | f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd |
C:\32788R22FWJFW\P.cmd
| MD5 | 16c79348f25f4437390163d0b625133f |
| SHA1 | 442b8286359ff64a0001ec914cf0019777e88fa7 |
| SHA256 | 346d883f24248acc4ccdf4fecf1084fdee0be47d9e6f86bc740dd60ff8f515f2 |
| SHA512 | c33bc09ce54ef662320c92f4f02a8bdbcbcba4736e1c33891436fd14c93050a5c1fb349f7deb40ff6e09275950de91639a48add4b2eb8474ee3c4f057c4c6946 |
memory/4836-478-0x0000000000F40000-0x0000000001011000-memory.dmp
memory/4836-480-0x0000000000F40000-0x0000000001011000-memory.dmp
C:\32788R22FWJFW\grep.cfxxe
| MD5 | 9e05a9c264c8a908a8e79450fcbff047 |
| SHA1 | 363b2ee171de15aeea793bd7fdffd68d0feb8ba4 |
| SHA256 | c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1 |
| SHA512 | 712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa |
memory/3048-486-0x0000000000400000-0x0000000000417000-memory.dmp
C:\32788R22FWJFW\OsVer
| MD5 | 81107438325dd733bb955160756d8c08 |
| SHA1 | fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca |
| SHA256 | 29f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6 |
| SHA512 | d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed |
memory/3424-488-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2572-490-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4436-492-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2748-495-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4572-496-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1320-497-0x0000000000400000-0x0000000000417000-memory.dmp
memory/400-500-0x0000000000400000-0x0000000000428000-memory.dmp