9a3ec35a31013c62a9061d4fbd16a4b81528acd61bee5769c870b41697572039

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Terabysoftaller.exe
Size

1.2MB
MD5

5757869619f9fb2dcf0b5dd948e6786d
SHA1

c3e95cc715d70b21f0c395c87d06e0667e076b0e
SHA256

1df6e1411a40905896507f975eb6c663f2943c984451ac29cc8969e521a4dc8e
SHA512

c6140885bbc43ac6c60c70976458e6282a8d84f8ecedac0cec6808c80a42f40b4f1930c3868081a5b8984c3c3e23fc925ab4ec9a2e43a2b4e946ecfcfc0436b8
SSDEEP

24576:Z5xolYQY6qRmJkcoQricOIQxiZY1iakDHoFkFLYaT3rbvEB:cY8JZoQrbTFZY1ia+H1FNDrDEB

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2752	terabysoftaller.exe
2660	icsys.icn.exe
2604	explorer.exe
2400	spoolsv.exe
2384	svchost.exe
2796	spoolsv.exe

Loads dropped DLL 12 IoCs

pid	Process
1048	Terabysoftaller.exe
1048	Terabysoftaller.exe
1048	Terabysoftaller.exe
2660	icsys.icn.exe
2660	icsys.icn.exe
2604	explorer.exe
2604	explorer.exe
2400	spoolsv.exe
2400	spoolsv.exe
2384	svchost.exe
2384	svchost.exe
2136	migwiz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	terabysoftaller.exe
File opened (read-only)	\??\u:	terabysoftaller.exe
File opened (read-only)	\??\i:	terabysoftaller.exe
File opened (read-only)	\??\l:	terabysoftaller.exe
File opened (read-only)	\??\m:	terabysoftaller.exe
File opened (read-only)	\??\r:	terabysoftaller.exe
File opened (read-only)	\??\p:	terabysoftaller.exe
File opened (read-only)	\??\t:	terabysoftaller.exe
File opened (read-only)	\??\v:	terabysoftaller.exe
File opened (read-only)	\??\a:	terabysoftaller.exe
File opened (read-only)	\??\e:	terabysoftaller.exe
File opened (read-only)	\??\j:	terabysoftaller.exe
File opened (read-only)	\??\n:	terabysoftaller.exe
File opened (read-only)	\??\w:	terabysoftaller.exe
File opened (read-only)	\??\y:	terabysoftaller.exe
File opened (read-only)	\??\h:	terabysoftaller.exe
File opened (read-only)	\??\k:	terabysoftaller.exe
File opened (read-only)	\??\o:	terabysoftaller.exe
File opened (read-only)	\??\q:	terabysoftaller.exe
File opened (read-only)	\??\b:	terabysoftaller.exe
File opened (read-only)	\??\g:	terabysoftaller.exe
File opened (read-only)	\??\x:	terabysoftaller.exe
File opened (read-only)	\??\z:	terabysoftaller.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0030000000015c50-5.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe
File created	C:\Windows\system32\migwiz\$dpx$.tmp\c51aada990f3ae42a0b99b352b3da628.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	terabysoftaller.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop	terabysoftaller.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2472	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	icsys.icn.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2384	svchost.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe
2384	svchost.exe
2604	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2384	svchost.exe
2604	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1048	Terabysoftaller.exe
1048	Terabysoftaller.exe
2660	icsys.icn.exe
2660	icsys.icn.exe
2604	explorer.exe
2604	explorer.exe
2400	spoolsv.exe
2400	spoolsv.exe
2384	svchost.exe
2384	svchost.exe
2796	spoolsv.exe
2796	spoolsv.exe
2604	explorer.exe
2604	explorer.exe
2136	migwiz.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2752	1048	Terabysoftaller.exe	28
PID 1048 wrote to memory of 2752	1048	Terabysoftaller.exe	28
PID 1048 wrote to memory of 2752	1048	Terabysoftaller.exe	28
PID 1048 wrote to memory of 2752	1048	Terabysoftaller.exe	28
PID 1048 wrote to memory of 2660	1048	Terabysoftaller.exe	29
PID 1048 wrote to memory of 2660	1048	Terabysoftaller.exe	29
PID 1048 wrote to memory of 2660	1048	Terabysoftaller.exe	29
PID 1048 wrote to memory of 2660	1048	Terabysoftaller.exe	29
PID 2660 wrote to memory of 2604	2660	icsys.icn.exe	30
PID 2660 wrote to memory of 2604	2660	icsys.icn.exe	30
PID 2660 wrote to memory of 2604	2660	icsys.icn.exe	30
PID 2660 wrote to memory of 2604	2660	icsys.icn.exe	30
PID 2752 wrote to memory of 2636	2752	terabysoftaller.exe	31
PID 2752 wrote to memory of 2636	2752	terabysoftaller.exe	31
PID 2752 wrote to memory of 2636	2752	terabysoftaller.exe	31
PID 2752 wrote to memory of 2636	2752	terabysoftaller.exe	31
PID 2636 wrote to memory of 2404	2636	cmd.exe	33
PID 2636 wrote to memory of 2404	2636	cmd.exe	33
PID 2636 wrote to memory of 2404	2636	cmd.exe	33
PID 2604 wrote to memory of 2400	2604	explorer.exe	34
PID 2604 wrote to memory of 2400	2604	explorer.exe	34
PID 2604 wrote to memory of 2400	2604	explorer.exe	34
PID 2604 wrote to memory of 2400	2604	explorer.exe	34
PID 2400 wrote to memory of 2384	2400	spoolsv.exe	35
PID 2400 wrote to memory of 2384	2400	spoolsv.exe	35
PID 2400 wrote to memory of 2384	2400	spoolsv.exe	35
PID 2400 wrote to memory of 2384	2400	spoolsv.exe	35
PID 2384 wrote to memory of 2796	2384	svchost.exe	36
PID 2384 wrote to memory of 2796	2384	svchost.exe	36
PID 2384 wrote to memory of 2796	2384	svchost.exe	36
PID 2384 wrote to memory of 2796	2384	svchost.exe	36
PID 2384 wrote to memory of 476	2384	svchost.exe	37
PID 2384 wrote to memory of 476	2384	svchost.exe	37
PID 2384 wrote to memory of 476	2384	svchost.exe	37
PID 2384 wrote to memory of 476	2384	svchost.exe	37
PID 2752 wrote to memory of 2464	2752	terabysoftaller.exe	39
PID 2752 wrote to memory of 2464	2752	terabysoftaller.exe	39
PID 2752 wrote to memory of 2464	2752	terabysoftaller.exe	39
PID 2752 wrote to memory of 2464	2752	terabysoftaller.exe	39
PID 2464 wrote to memory of 2136	2464	WScript.exe	40
PID 2464 wrote to memory of 2136	2464	WScript.exe	40
PID 2464 wrote to memory of 2136	2464	WScript.exe	40
PID 2136 wrote to memory of 1208	2136	migwiz.exe	41
PID 2136 wrote to memory of 1208	2136	migwiz.exe	41
PID 2136 wrote to memory of 1208	2136	migwiz.exe	41
PID 1208 wrote to memory of 2472	1208	cmd.exe	43
PID 1208 wrote to memory of 2472	1208	cmd.exe	43
PID 1208 wrote to memory of 2472	1208	cmd.exe	43
PID 2384 wrote to memory of 2204	2384	svchost.exe	47
PID 2384 wrote to memory of 2204	2384	svchost.exe	47
PID 2384 wrote to memory of 2204	2384	svchost.exe	47
PID 2384 wrote to memory of 2204	2384	svchost.exe	47
PID 2384 wrote to memory of 2740	2384	svchost.exe	49
PID 2384 wrote to memory of 2740	2384	svchost.exe	49
PID 2384 wrote to memory of 2740	2384	svchost.exe	49
PID 2384 wrote to memory of 2740	2384	svchost.exe	49

C:\Users\Admin\AppData\Local\Temp\Terabysoftaller.exe
"C:\Users\Admin\AppData\Local\Temp\Terabysoftaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- \??\c:\users\admin\appdata\local\temp\terabysoftaller.exe
  c:\users\admin\appdata\local\temp\terabysoftaller.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\wusa.exe
      wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\System32\migwiz\migwiz.exe
      "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2472
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2400
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2796
      - C:\Windows\SysWOW64\at.exe
        
        at 19:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:476
      - C:\Windows\SysWOW64\at.exe
        
        at 19:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\at.exe
        
        at 19:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\888.vbs

Filesize
280B

MD5
8be57121a3ecae9c90cce4adf00f2454

SHA1
aca585c1b6409bc2475f011a436b319e42b356d8

SHA256
35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

SHA512
85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wl.jpg

Filesize
80KB

MD5
029c9dc90ef99fdfba31c7e68e57138c

SHA1
1c994c598dd48de99a9250f363b738fbb84ce85d

SHA256
c8eba53df4d268ef0ddf382778290dc1a13faef122f78c92ff393f3081b7a135

SHA512
6209b9da1381654aaaada8cbb6bdf2fe88fd539a1c1ff68180bf1023399cbda5b0a1530796cff4f6be36bc44f313a765c63109a8b25afb9678818cd712dd88d0

Download Submit
C:\Users\Admin\AppData\Roaming\Lock.Microsoft

Filesize
8B

MD5
de6fdff1993c731e52e49d52a6e684d9

SHA1
120d1ff8a24109eed24ac1a5697383d50bcc0f47

SHA256
645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42

SHA512
99d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
1b6fccbc3e60fea8ce99c88318abedb6

SHA1
3750cd070bd279ac31836be12ba4197c0a408915

SHA256
21e822b4bda5354d7d98997d2cf96c2f283f93ec6b45eec709b870b260250aa4

SHA512
5052ad50e36cbedafcfe46d77f1ccdaa5deb92c8c209eea1ad71be94ec063a0e4c87d7331e540e02119ac32c593543fc92d82a7bb5ef6224cc1e722d00814165

Download Submit
C:\Windows\System32\migwiz\CRYPTBASE.dll

Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
\Users\Admin\AppData\Local\Temp\terabysoftaller.exe

Filesize
1013KB

MD5
a834493f082279e30f42207b9d869e36

SHA1
a82afa52664e50e34563f8675b18c55f946d5636

SHA256
16776d58278432ec05e34fcdeaae59872c24d2f54b5870ad75f23f1bf4a6ca24

SHA512
a37abde7665ac1642fb9df58f440620755ae44fc5978b1c978beaff3e8c8ad78a43ce25e49d4e6bf3f6e9113ab9819c3171a01f827d880639e95a0905012e4a6

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
2344d07538f8b6ca19713893a6065c92

SHA1
899aea43926b14e25d073ac0c15154c66a4f4042

SHA256
18c6e88a1e2c766ad460052452c50871c6b26a08129c4fda402507b6795699b7

SHA512
1e7b53066f9d8986b6bbaa6842eba25faee46898f62f831b037db630737c0f22661d543a9df38330146ac9883a1427d23e0d8e48f570cf1c2e2e0ca0cf4cf875

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
6b62e80a948dea16dadfc9def03037e0

SHA1
452502b65ae97a07b834163f9798acbe7cf55e30

SHA256
a604845ed106aa3287ceddc7e49938696fd4c29833689579e403beefa3c25972

SHA512
dec4726ff8c8a7c859d5d36ff45e107bc9ade1543d9b7df34af81516eb6906ae016893477260f86c1ab73892421492d93b34e72569a6132313cf65200ccebae7

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
5b48a5f9d1206dd9b0420c09560b9fa8

SHA1
dd33324af96d33b66f5593283091439cf60887f7

SHA256
b273eb67ae69772a7b879974d74d159076bf566fe7bdf119923fc519ef7e3175

SHA512
336d6445306908f10e9d6271521c95638aa971aefa2cfe026858c31da553f6387d56a6f9cfef4e8b87cfc2d835a3d94217b0a369d2305913a7eaaeb234fe5bf4

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
c46b8c6d1f4e0865b590c1b0152e774c

SHA1
37c9c47a143a3977b1bf0c8b1f2237a40f8cbfb1

SHA256
175bfc85b38667ad643ee8a10be999d691e2f7da4957be660367d6c0ff0f7ca8

SHA512
9382e145f3100dd69ba048e26fcfd330390a478c465c50cec169a85aa5982ebeaa25362cd6b11bd773b94816e22863cf252147c0ac29233b203e5237550d80b3

Download Submit