Analysis Overview
SHA256
0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5
Threat Level: Likely malicious
The file Chew7.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Loads dropped DLL
Modifies file permissions
UPX packed file
Executes dropped EXE
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Adds Run key to start application
Enumerates processes with tasklist
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
Kills process with taskkill
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 03:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 03:38
Reported
2024-08-13 03:39
Platform
win7-20240729-en
Max time kernel
43s
Max time network
43s
Command Line
Signatures
Possible privilege escalation attempt
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chew7Hale = "\"C:\\Windows\\System32\\hale.exe\" /nolog" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c77351 = "\"C:\\Windows\\System32\\cmd.exe\" /C START /MIN RD /S /Q \"C:\\ProgramData\\Microsoft\\Windows\\Pending\"^&EXIT" | C:\Windows\system32\reg.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\systemcpl.dll | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\winver.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winver.exe | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File opened for modification | C:\Windows\system32\hale.exe | C:\Users\Admin\AppData\Local\Temp\Chew7.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slwga.dll | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\user32.dll | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File opened for modification | C:\Windows\System32\slui.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\sppcommdlg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sppcommdlg.dll | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File created | C:\Windows\System32\winlogon.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\winver.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cwlog.dtl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slwga.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winver.exe | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File created | C:\Windows\System32\cwlog.dtl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\sppuinotify.dll | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\slwga.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\slwga.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slwga.dll | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File created | C:\Windows\SysWOW64\slwga.dll | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\systemcpl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winver.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winlogon.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\systemcpl.dll | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\user32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winver.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\hale.exe | C:\Users\Admin\AppData\Local\Temp\Chew7.exe | N/A |
| File created | C:\Windows\System32\slui.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sppcommdlg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sppuinotify.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\user32.dll | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system32\hale.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Chew7.exe
"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im hale.exe
C:\Windows\system32\hale.exe
"C:\Windows\system32\hale.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd" "
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd""
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE
C:\Windows\system32\find.exe
FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
C:\Windows\system32\tasklist.exe
TASKLIST /FI "IMAGENAME eq Chew7.exe"
C:\Windows\system32\find.exe
FIND "Chew7.exe"
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v LastAttempt /t REG_SZ /d install /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
C:\Windows\system32\reg.exe
REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TIME /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
C:\Windows\system32\find.exe
FIND "64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
C:\Windows\system32\find.exe
FIND "86"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
C:\Windows\system32\find.exe
FIND "64"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
C:\Windows\system32\find.exe
FIND "86"
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\winsxs"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
C:\Windows\system32\find.exe
FIND /I "IntervalSeconds"
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 30 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 1e /f
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slmgr.vbs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slmgr.vbs
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slmgr.vbs"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\27931.lck" "C:\Windows\System32\slmgr.vbs"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\slmgr.vbs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\slmgr.vbs
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\31111.lck" "C:\Windows\SysWOW64\slmgr.vbs"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slwga.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slwga.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\2314.lck" "C:\Windows\System32\slwga.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\slwga.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64\slwga.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slwga.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\16862.lck" "C:\Windows\SysWOW64\slwga.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppwmi.dll
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\sppwmi.dll
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\user32.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\user32.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\user32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\4151.lck" "C:\Windows\System32\user32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\systemcpl.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x0F:x84:xFD -r:x90:xE9:xFD -o 64\systemcpl.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\systemcpl.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\systemcpl.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\systemcpl.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28129.lck" "C:\Windows\System32\systemcpl.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slui.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\slui.exe
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slui.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\8495.lck" "C:\Windows\System32\slui.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppcommdlg.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppcommdlg.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28435.lck" "C:\Windows\System32\sppcommdlg.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppuinotify.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
bump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
C:\Windows\system32\find.exe
FIND "changed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\sppuinotify.dll
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\sppuinotify.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\10221.lck" "C:\Windows\System32\sppuinotify.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\winlogon.exe
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\winlogon.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\18428.lck" "C:\Windows\System32\winlogon.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\winver.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 64\winver.exe
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\winver.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winver.exe" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\12651.lck" "C:\Windows\System32\winver.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\winver.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
crc32.exe 32\winver.exe
C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64\winver.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\winver.exe" /GRANT *S-1-1-0:F
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\23544.lck" "C:\Windows\SysWOW64\winver.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
C:\Windows\system32\sfc.exe
SFC /scanfile="C:\Windows\System32\wlms\wlms.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""
C:\Windows\system32\find.exe
FIND "FAIL:"
C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d TRUE /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /d "\"C:\Windows\System32\hale.exe\" /nolog" /f
C:\Windows\system32\reg.exe
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\Windows\system32\find.exe
FIND "c77351"
C:\Windows\system32\reg.exe
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\Windows\system32\find.exe
FIND /I "/C START /MIN RD /S /Q"
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "c77351" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f
C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe
C:\Windows\system32\timeout.exe
TIMEOUT /T 1e /NOBREAK
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /f /t 0 /d p:2:18
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2876-0-0x000007FEF6A5E000-0x000007FEF6A5F000-memory.dmp
memory/2876-1-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-2-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-3-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-4-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-5-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-6-0x000007FEF6A5E000-0x000007FEF6A5F000-memory.dmp
C:\Windows\System32\hale.exe
| MD5 | 2469decec0e28cb3c83e7fc47cb4ad12 |
| SHA1 | 6409fce7b0f64b3297346a5c82a632ce61d7fe8a |
| SHA256 | e4d7bb65281a62e905eb2e7aef466525a24403079d4579029847d75142b48282 |
| SHA512 | 2a00232f62b13e6678068cbd9ba2621a4157c0a0baa70dc19349623c21fab770b897db003811ef83a27c45fd988d04637baad54c63d22b1c4bcbc08fb208d1eb |
memory/2812-14-0x0000000000400000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd
| MD5 | 6ce66570bfab35a20d280d9833049e97 |
| SHA1 | fc9e4248551156ba80e515e78d3496429754aae2 |
| SHA256 | c755237b5c58134ff21520f7d2d401e5c9ad40d05dc76fe317ffd238ecafecf2 |
| SHA512 | 1870e653f7132e23b9a1c078b6a6931e6bff6682e8da7325eed20ffef800dbc21e71ff28e5447fc871715c07cc4e8986196a637d855550515feac168c72984b3 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\setv.cmd
| MD5 | adbb4c4121d770efc7154f06fe476a42 |
| SHA1 | 2ca33c200eb09e8619936997211d8894dadc3694 |
| SHA256 | 6a8233f58dcdffd51292b753688848198982c5de11945651f165d1174e570372 |
| SHA512 | 380c291625ee88a1a7dca67b6a27d393cdf1fc4a60349f413071f584f86372c420bc46467251147ef766c92349751db1cea594a69b6dd6fc0fb67e0d13630697 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\radd.cmd
| MD5 | 0ca0566671854f45d316877cb3b9563b |
| SHA1 | 75ea44bb67f797281703030b2989e91c2723ddb6 |
| SHA256 | 048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3 |
| SHA512 | 12c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\arch.cmd
| MD5 | 379f17168f80eb977a0ae103dac9de98 |
| SHA1 | 5cd7f4ec26366e2777fc5d5059009f7872fbb8de |
| SHA256 | 7257349f727d176425f3854bbb7624ec3ec4422e872fbdd025420e9791f99897 |
| SHA512 | 543b8fa7aa3fc95a01568348f3c0ce22cf804cf4451af38858e0b5e3691f7d9a1ea1bcd51a9e3edd1e9a187224861c9cb49fd23c0e9737ad5a78b2dcf4c89c83 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\plat.cmd
| MD5 | 18e656cb3dd56af78ac3c58c7018145a |
| SHA1 | 8d6ce19ea492834e65949a7299ebc8e87ff4e484 |
| SHA256 | a18f490dfe451f8c14eaf07951292cc45318073ddbac65b18831668f48d811b2 |
| SHA512 | 2292eaa0ac027c5b8bb1a5c838d40ace1b723f2962284b26087c52817b2b7db3ef05cbecfe1899d9a2f226292f3bb4409633c9d007facfef8673135b8ae4c148 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\town.cmd
| MD5 | 574958530816e546394dbc025d8a08eb |
| SHA1 | dbdfb40357f60bb6bc4575806f1f924a11302205 |
| SHA256 | 81ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da |
| SHA512 | 088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\plog.cmd
| MD5 | d638644c3bb80f1e98ae06fa85680eb1 |
| SHA1 | 96d95338be3be4a24d999b82d1e00ccfd797614b |
| SHA256 | e8a990623424631496704087d29f05300bc5efabb47c94ffe7f6bd46d803b587 |
| SHA512 | 1349049890363c7ff3a5213e063a1dbc898cf8c85933066c34b0d88b33b6b1964751e9b470af504a62898c870f4dfeee9858aadc336c1f33485e81e89ef1de1a |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\intv.cmd
| MD5 | 3ab983628da0fd9f8afd497d07f33d76 |
| SHA1 | 1d85342e56d1e5d90a10aeb9bde0232250187169 |
| SHA256 | 97754ba105cd61128ebef8aab5272f669a72b64f44b6d861c8d507c088410a27 |
| SHA512 | 65da3d80645d943d4717e8b340bb9ce3e26f07e63b9db7c1d27f68ddf9f3696ba9e0475301e13e93f841558834e4b8fee5452ef220503fe41d70057c5f55da8e |
C:\Windows\System32\cwlog.dtl
| MD5 | 38c983879e5d98fef44e8e0538fc7c21 |
| SHA1 | 1117731974d46d5a8cc25364e0b05f7e2a3ec11c |
| SHA256 | 4c447aafb91fce5872a5e2cd1cc86e7557f1765314fa2ed1a7aa0cb98054c81b |
| SHA512 | d1a38ca9bad5f24d590e351c0fd59703d8c5508eeca127dca4a1ccc852e4be92ce4add9fa31ca140cd2701498e9f5635f5465958059efe53d90ce80c09c95431 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\lhed.cmd
| MD5 | 34670db25d9afd4f3912f77f2e5c7d08 |
| SHA1 | a59646f18b9a365067f9163f2319e219883334d2 |
| SHA256 | a4761b5a5f5e6542867ba1caa87676410b7aedccd762826359046167771659ff |
| SHA512 | 069204ff649adec9a4b5029bf8b99c3cb324da3306f9bd9bb350883576efbda65fea445b5d7a1cb3bdcffa66b11be22415d5def1ecca25af19839a22360d5a29 |
C:\Windows\System32\cwlog.dtl
| MD5 | c8c5679bef306d697cb41059120db0af |
| SHA1 | f96628021383fc9789949802bca3156a38e78e52 |
| SHA256 | d693f31e544041ab9d914ff177e341013f076e98768cedda2826f67b3a0d18bd |
| SHA512 | 01fc88fe94f3553b7c0fb25e5e0fea294ee2333aaa0eaaebf42479955babba786a9472da0ff92b22a6bfa3b51a0755a937e5bc4b70357975de6d6371d5e145d0 |
C:\Windows\System32\cwlog.dtl
| MD5 | c7bea4fbf5891b26260127afb7533ca2 |
| SHA1 | 1e0e98c226fac9e3e876bae454441209c4ba8ab0 |
| SHA256 | cc0bd093b79708af3c2dad5f57920961c180692dc35f9cb39dde22b69f7d5616 |
| SHA512 | ac99234b0f353b19c487d122ea53a168ffeddc1a49bf65b05a1582185ba250976df06ff889a8db5ef16fab830c02c3f0526acd47104bf5aa1ddaa87dc143950b |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\tran.cmd
| MD5 | 8ff2a0df0d5a63f3a7061ec919ba6344 |
| SHA1 | f70cabc248d4ec9849657d39dda784717e355c70 |
| SHA256 | c0cd5f9fc6d23442bc1b81e9e6efb3e2abbeb744863bbb2106e2dd679bf039d7 |
| SHA512 | 96cb5a166da63e1d8b92f5a205c0c0ef616288d242f7c173f20015dde1d56e6a60e948ad32e5f3242e2fe6ae2e0659cf9e6e999748d7afd3003abd66abe15913 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\godo.cmd
| MD5 | 92ce8cbf009cea52544956d2cc6a810f |
| SHA1 | 1ab78049064fd7b6c4b775c2edf70ec58486c563 |
| SHA256 | 89f1e56537b38e367a79c33d75d3a2913ff249d7623363dc48f373eb1b8b14ad |
| SHA512 | 4de7c8a79fc7c89dce59ec5071ef214af84d5c9e9a3a82956e13c5e2df0a2759a1413970d47cc156d98134992ff6ce43d4d862840190629fa24eed42f4f6dbc8 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slmgr.vbs
| MD5 | 38482a5013d8ab40df0fb15eae022c57 |
| SHA1 | 5a4a7f261307721656c11b5cc097cde1cf791073 |
| SHA256 | ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8 |
| SHA512 | 29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\tick.cmd
| MD5 | d32c42e48ddee14fddd78bae6866cfc2 |
| SHA1 | 350a4c21e021c6fd3393793f22158e5c73deb2c1 |
| SHA256 | 7ba5af7f29496e9c5eb780cd484623ecaf0443299ea9693261516dfb60401266 |
| SHA512 | 615c7f837e1588b709f19570a5a6f43554133df67de950367152230626f303da5cdd0359b888eb3febb80ac1321a91256e1c61d5eb2aabfc3c5ab3c1cfa94996 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hash.cmd
| MD5 | 467b51f35949c5a3f722ba736ce920e4 |
| SHA1 | 525638ae64c3d2e3518c7b1debc661a251b8d285 |
| SHA256 | 6c28fa6bf656b77085b464485fd085d4d6eeb7e3a0ff2dff690dc813b492580c |
| SHA512 | 93d6c5a3eaaecd4d461654c09d4771217570139d39d0dbd06b1593965c7f4196e94594f8156b50ce58830e0694abf5e0e30d6c2ed63e5f482c5c797f22bc4c59 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
| MD5 | 682ac7bb084c88e73d628cdf57dff336 |
| SHA1 | 652fb5d2fd9467f1ebf5bb3ba7a5daee87b62e0f |
| SHA256 | d9c72a8ceccb6d73dad98ef44495738286286e85102e033fe7f09069bc02fba2 |
| SHA512 | 2c599a1b11f476bb0e1c9bc2b4b30125ebe1e819fbd41c30c10c6770177f2d6ddc4dd91d1ee813a9223e6879accd4fa99dd5a46c8f1723acb7e63b2831e2ae9d |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\wslmt.dll
| MD5 | 2ba3a706f9e5b8a30dd84f53b022a8ee |
| SHA1 | 3aa34c784f16a4f8a5f2b58265f926660b3317f4 |
| SHA256 | fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55 |
| SHA512 | ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\ownc.cmd
| MD5 | f16f9a87e6a9f18921a30ac379b81995 |
| SHA1 | 3e02237a1b2640138a14d47e2781b8bf8051ad08 |
| SHA256 | 9177bac8288a592264dd90d2c956433a8818f1a34a5d864bd626df3fde0e0cfa |
| SHA512 | e60013c4bd894d7426680653653599e335fcfe70a3f5da8b54b443134250853a9755acd3a49aa46ec4b017fe3db403e5c7ddbb4bcfa320825c2067a77fc6760f |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\mtmp.cmd
| MD5 | 02d7ebad35b5624a751243d101a540ce |
| SHA1 | 4f9f0e0d47c78511ca88776fc86ece16055df66e |
| SHA256 | 7686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac |
| SHA512 | 04fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
| MD5 | 2e2827ba66bfe75bc2fe2d0a02eecc73 |
| SHA1 | 97e85467a9a24a89ab9d2969d5cb7275083c04f2 |
| SHA256 | 4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb |
| SHA512 | 006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734 |
C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl
| MD5 | 7a3b8ec21ac9956ed258f5b397d281ab |
| SHA1 | 63cc8f5ca73640fa5fae2d20e69ce393a07a873d |
| SHA256 | bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683 |
| SHA512 | ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c |
C:\Windows\System32\cwlog.dtl
| MD5 | f2d504a607de292f182d60a5d9e4999e |
| SHA1 | 91f7994209cb2b60b514066b5d0a42776a395709 |
| SHA256 | 4950dfae742ecab9d8e89be47354abef3acabe5a55ec91187cd572f4a5f15872 |
| SHA512 | 376411b8360dac5282c18d6dfbb66e75f61376b39ba05df970520ecffcf05d9a3ee69c55c4c71300f9877c43f9a7086c68a4eb4921359aa3f3e39940b818e151 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slwga.dll
| MD5 | b6d6886149573278cba6abd44c4317f5 |
| SHA1 | 2b309f9046bd884b63ecb418fe3ae56c2c82dd6f |
| SHA256 | 273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3 |
| SHA512 | 56352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
| MD5 | 2d9a30606a718bfdb4e5e9b6c2939881 |
| SHA1 | 298b80c781aa4e2cb6fc6f4efac9a565b9b13c82 |
| SHA256 | 1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51 |
| SHA512 | c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64 |
memory/2628-234-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slwga.dll
| MD5 | 7edc3c01ffe76fbe4f88ed6cf7e93d2a |
| SHA1 | 28f447f52c3601f5771d1d6af8177acc5d18dfc4 |
| SHA256 | a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7 |
| SHA512 | 003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8 |
C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl
| MD5 | 61975a8f1f2b5a9685c3aa2d921fbf8a |
| SHA1 | 5870879badbe315599676e138e06b7cccdcab03c |
| SHA256 | 113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80 |
| SHA512 | 3820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236 |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\slwga.dll
| MD5 | 19f75d71e4256f5113d64ce2bb66b838 |
| SHA1 | d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79 |
| SHA256 | da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f |
| SHA512 | a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\gsr_0000.tmp
| MD5 | 788a402d0fcc43662ba8b73c85c63c7f |
| SHA1 | d5cec0d57a7516db6cdecbdc3d335db24444037b |
| SHA256 | 79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60 |
| SHA512 | 8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e |
memory/1276-275-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\sppwmi.dll
| MD5 | 85eebb24b18781a3d4a8558d8c294a6e |
| SHA1 | 03a6659983cf14e9b2334df9fd32e49079998364 |
| SHA256 | 85d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885 |
| SHA512 | 4fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b |
memory/3036-316-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0000.tmp
| MD5 | d745f0b3bfa805ccf82a6a883dd3e441 |
| SHA1 | e6807f4e035f25dc649fc9222252546b9d5512ca |
| SHA256 | 2b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450 |
| SHA512 | e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259 |
C:\Windows\System32\cwlog.dtl
| MD5 | 1c33249d6c150a09afb8087002f52074 |
| SHA1 | b409fa9092b830bf9c605adabc17bc91f70dcf8c |
| SHA256 | c62d520f26c02d8c3dc0cb264fe9094491b83ca7c1c7270872ddf30ee88fb1da |
| SHA512 | b7683716d506c4ff9f31c6011c938fa6fc7e749be7d737e903c696b95254b3b65d4a68c9af405da3f03190d371c4e11a6faa95ee53613d3d2bb72541d52d0c8d |
memory/888-326-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2416-332-0x0000000000400000-0x000000000040A000-memory.dmp
C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\sppwmi.dll
| MD5 | 5f5bb7c391d0e98338bf64b19c81f1ff |
| SHA1 | 8c275b466c4076d3c6fd9f62cf9e4a9f1342987a |
| SHA256 | d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a |
| SHA512 | e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0 |
C:\Windows\System32\cwlog.dtl
| MD5 | c8b99ad44da7a89087ce7422d8f8247e |
| SHA1 | eec118f0b9097642dd0ba227abca7e128a21b126 |
| SHA256 | fbb9890f72efcf8ffa8f2d576da522c630b59384a55dd64f279014b8c533c3b1 |
| SHA512 | 439ff954fb44c7e245fffca2312f5ecb1496176f14f6b679fb633d766634ca15507bece3458333eceb43068c7f8852d24ff6c9df880d4243a7b5bed57c9fdecf |
memory/2128-358-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\gsr_0000.tmp
| MD5 | 0f97e6414569172cf3762b1b49427609 |
| SHA1 | 32d1b503ac8b1d85e3097a3a80ea6e6204cfabc2 |
| SHA256 | 46ee9e7a4cc656f5907031439ce11b5f189b8cfde60102b5a9f1786eba10558c |
| SHA512 | 288007562c9ce851826a036880f4007e37f51c4975113123ad4e08296808c22bf08cff30b53efaa3c0be5ca66e043cb85ce34a75d09021ea80dbd06633362f31 |
memory/2480-368-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2288-374-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1988-395-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\System32\cwlog.dtl
| MD5 | 1bda73b95a26eac4c772151f3c7e6884 |
| SHA1 | d9fa7a57e47ae338d1967eca06a609264d267080 |
| SHA256 | 9a73ca98fe5393663ccec7a2a6708ba98086d6e363afa056e5fa28bfbc44020b |
| SHA512 | ae3daa430e431799d22f15f85fd2686b6bec89b5b5d03c680350ede217562a9434989291a16039a86b40610abf98e7d3f6c66873aeb25232b2718fc4d2748a40 |
memory/1112-402-0x0000000000400000-0x000000000040A000-memory.dmp
memory/620-409-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2532-416-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1576-423-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1072-430-0x0000000000400000-0x000000000040A000-memory.dmp
memory/412-437-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2600-444-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2728-451-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1584-458-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2624-465-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2260-472-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\System32\user32.dll
| MD5 | d186babdfae7c0d93c9f6ae63957ee96 |
| SHA1 | 3bae058e194bab58eb0da58ac4189f8594294388 |
| SHA256 | 74e5f9e83d89c0bd78dbd2873455ef1c9fdd6110d274c82ed82259fd51acb893 |
| SHA512 | 26c7c2305183079dcd12074f4c405ba37ca60fe507db7d363b11c70b7fe9337bee4dff6a3cb5f58f5d8f025a360627e1285a20e75937527ebd131234b6e04c75 |
memory/1520-499-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Windows\System32\cwlog.dtl
| MD5 | c5284c7d2f7b432917d9d4438bc5b36b |
| SHA1 | 0d512150d3199045efe79afe72da6dde58007dd7 |
| SHA256 | 9c5befb32014629130498d6d634c94f6b075527e9b1e2308b09fbc53baf3eae7 |
| SHA512 | f21a88d32b22b2517abca0586ea123a1104ae4b3d1d553412602571afa46213068873b5374ac844822ed15bc52ced3bf853321c479e3a92c2bbd475d4415f18e |
memory/2692-507-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2660-506-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp
| MD5 | 3201181b38256a815b911314c3871a9c |
| SHA1 | 1adfb13690a8c43f78fa300e2672e62d13febd9d |
| SHA256 | c043d077818b2862f959c4c20888e6ef920d9509542f5140de0bc7d5d7beea1f |
| SHA512 | 882374a99ad570768ddb2426070804bb7765376c126fa9a6c29249f01a24a1b70315fb405a456a09fbaf46de1a630e3984c5d67338f6b5c61fde5a51dc71c8aa |
memory/2264-514-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2972-515-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/3016-522-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2580-523-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/816-524-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/756-526-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2800-552-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/796-557-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/1164-559-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Windows\System32\slui.exe
| MD5 | 4a70dc889e9b792b83c68348709d3edd |
| SHA1 | 826791f1b69bb85b5f6155982e03bccdb7c22eed |
| SHA256 | 3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f |
| SHA512 | a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a |
memory/2292-585-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp
| MD5 | b798f38be4180a30248c9892ea9957e4 |
| SHA1 | 2f31351a29d36dd87cb7463f869d6075588c0142 |
| SHA256 | c2ac36912654e2e6845c5308693611b754b0440cfb8ea5fc1ac03346fb4d08af |
| SHA512 | 5e61823127062861f9caa495ec4c4d11e3bf7687d3d2df5450c68faff2e311d369497e2d687e2e78994856b532856c03c84f9d20003ff2186223e2bd4d335796 |
memory/1672-592-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1756-593-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Windows\System32\cwlog.dtl
| MD5 | d6ba2d246d194416b3eec380d4a0c83b |
| SHA1 | 923fd60b4692a031ee2ff88969de7ce7bc210c7c |
| SHA256 | 9eb3d5d9d91eaeb1fc56d3a36d142515ac629d03d44eec6918232c5a2c5a6d87 |
| SHA512 | 8dcc5dab9d8787cd243d41815d34fd30686355ca2a1a114cee4219a6dbe245392b0c10178d1802e74c15b286fcf6696bfd2e7d0f845633135d84a921b464d91a |
memory/2096-600-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1456-601-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2068-608-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1580-609-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/1864-615-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1320-617-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/1280-624-0x0000000000400000-0x000000000040A000-memory.dmp
memory/356-625-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2532-632-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2032-633-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2676-640-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1760-641-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2356-648-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2820-649-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2632-657-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2724-656-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2784-658-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2760-660-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Windows\System32\cwlog.dtl
| MD5 | 1720bd5ab05a4a5ca4e4a7d87aa9c295 |
| SHA1 | 925eaaa3eefd25c12c65144a55798e0c90627c4f |
| SHA256 | 64556f0df4467d77cab8ee411986a8fb911cf4cc05543d5a9d6be57302eb4d9d |
| SHA512 | 24a497611ff047da753c1ffbe378752b2628cb3e7cdaf858e3683b56d5f6f7a4f343b18f8eadd8eaa17e6535888c76044915086cbd6484de7460c59e8e5762cc |
memory/2772-686-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/1996-693-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp
| MD5 | 3540689ec7512dbb54e0a516e3b13467 |
| SHA1 | 6593eb5196196c42dbe77403cafd3ac9559d58fa |
| SHA256 | 556184133b2d6e2fd37d86e63bfac35932cb95c21ebcb03770977a445ddc0668 |
| SHA512 | 77b04d09889f11c0e94d7412405f5cc24e87d2128c50a73ac1134f589097280b7588b095a141f82a88a6f03e78133a1d89484b53ecfd7cde6f627b1a1a53a4c4 |
memory/2444-694-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/1060-701-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2468-702-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2904-709-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-710-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2952-717-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1520-718-0x0000000077940000-0x0000000077A3A000-memory.dmp
memory/2660-725-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1564-726-0x0000000077940000-0x0000000077A3A000-memory.dmp
C:\Windows\System32\winlogon.exe
| MD5 | 87a00ed70fec36d0dd968e5058c29aa1 |
| SHA1 | 9d9e8c4f35b0b5d6077d71eb279bb3195c71979b |
| SHA256 | c64c7af3688e9557e7b115375c3c3a41fd2e469ff9ac39eb549b3fe9bcba3315 |
| SHA512 | f5e5c7fe4a4f40e747aeacd12290a9b841486560566a0a70821b39cb60501e88c7acf8427128a02c088a43ccbec609ba09fa84e2b8ac3bb15be4ceae69e7a4a8 |
C:\Windows\System32\winver.exe
| MD5 | b6d47606cc11ba2c58f12fe01983f77c |
| SHA1 | a7046870240beb9555991020981d398af7ac56e8 |
| SHA256 | e6746e6f90d311bb769394ea1247f04f669184a08ecb2a8b237aa5185414dc1b |
| SHA512 | 729962ac9d8cc2bdfc8f1d2f66e9aeddaef819d9d6b6e4aa235196045558c0ff0ffa0925e7e0a1ebf608ee886d58e1dea91fda82456da25ee1fde65547fbee11 |
C:\Windows\SysWOW64\winver.exe
| MD5 | 517a63ea2af1a35de43b9677e197d3e2 |
| SHA1 | 75cce1d13e9f008fd18046d49cc4997b65092cde |
| SHA256 | 7f034a0a09d38bf561cd22b8064b18e0b70970a471c0b3a5517324916802407d |
| SHA512 | 6f29840690bb456192581e001dcaaf10f3f9b6ca986c3936994ddde1d623129c6dbeecae3a2e26720c20ef8f6ce1662debc04fc06fa17139f8ceb9e34c6b3dea |
memory/2812-893-0x0000000000400000-0x0000000000BB0000-memory.dmp
memory/2876-897-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp
memory/2876-899-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp