Overview

overview

10

Static

static

7

575482a06b...06.exe

windows7-x64

10

575482a06b...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    575482a06b926609c5494f0c33d28dcb4a22ca4f88223faf425e1513496dd706.exe

  • Size

    57KB

  • MD5

    097e08d1be1ee38c8cf38f26f8328c70

  • SHA1

    b5318a8eac94220f8b4222d5a2f2025a48fccfca

  • SHA256

    575482a06b926609c5494f0c33d28dcb4a22ca4f88223faf425e1513496dd706

  • SHA512

    9427a56de073d428baeb2daaf7ed7453ec9b62df30881dd2e8e3cfcf55cbc1c09157bcbfe35a800a43d97dbbbbd46ff6b9744696ce806e06ff48b52c1236d6bb

  • SSDEEP

    768:Nh5sxVPFXfgaDjof4ZgHqLNhldu8pGTUTY26TsGrn5wFbUzMsPzB5GXwekfp:NHsxFJfgaDjofVKn1pGwTJOlw1UrKwl

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • UPX packed file 61 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\575482a06b926609c5494f0c33d28dcb4a22ca4f88223faf425e1513496dd706.exe
    "C:\Users\Admin\AppData\Local\Temp\575482a06b926609c5494f0c33d28dcb4a22ca4f88223faf425e1513496dd706.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2120
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2248
      • C:\Windows\Notepad.exe
        Notepad.exe C:\Present.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2928
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4772
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1120
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1424
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4120
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1984
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5012
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2504
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4472
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2152
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5092
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4360
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3124
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3360
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4228
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2872
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2164
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4528
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4648
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3100
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3996
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3836
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2652
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4964
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1384
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4240
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1104
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:984
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    57KB

    MD5

    ea859346e04c1bf712483ffe7eec791d

    SHA1

    dc84b87d80cb15df1605b74328af2b366b384fb7

    SHA256

    72699723e3176ce46c6b44deb34497b7681d42e372d4154c2b9de4b3af46d07e

    SHA512

    0b765a6997a4a5564e312a6629a787bcd8f1e43f31a6ce7b0e9bb79b15ff0dd0a0c2d37f2b3118e35dfe5bbddd45d271d5b87d30bdc1efb5f1172501dc19e563

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2f2fd3eb61897f92f95b1410416bf84b

    SHA1

    546f362c934a3fa5eeaf5504c0a55d28a7d9f36e

    SHA256

    795cecd6f36ca5162a403a0983498c31ef8a07f904ba025073d1a597e6ec0b25

    SHA512

    39d9a1ed17239fbe424c74a8e943c8a6857e52c9f2b75211cc6b9aec60f21711a1688f034209a05bac6d10a65cfb0f14c98e57d468040e8b198e946bdc283031

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe
    Filesize

    57KB

    MD5

    8a30d5f6ba87e6eb675f201643ea75f5

    SHA1

    a80b5d9eedc85e1bbbbd1284069193c5b94194b3

    SHA256

    9d3ee370497007f38893a3fccfbcc7c338856d7855438d1a500e68ae11ba5cf8

    SHA512

    d5ef44804c7258a738b9d879975f589a7a58100182c5065c39f16e41b2669ec6024447289f10d556c0a4ae1dd8375e9433b67eca45b7f37375fe19383b2956fd

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    57KB

    MD5

    13419db2b84d2b235fd10b09a7950f86

    SHA1

    27530ce64b66d2f0ee415bdfcf863be519d9a01c

    SHA256

    6fc672ca67c0f646d612f95e709fd9d874ed398d8ded174417300ff38bf2c9de

    SHA512

    fd52fd44cae6dcd7844ee58c01d748a904efec926f405b78564e12ae8f3c4aeae35b87a7cc3c0aca8d16b54e44e8425c163b95169f855f282fdefdf7d6e1aec7

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    e96c08505dff59909a09f7ad2bcb7cc0

    SHA1

    292bca6bf29ee293b5e9c795155bfb0b6c7732be

    SHA256

    07d50eed84c976219ccf9a2e945f8d16970d0000d933c6118656f699edfe39b7

    SHA512

    4485acd7bf8a71c2e77df7c53529f82f5a18eafa11e05d91578cbf8302a25b7f933701fb5963bda6aea7dc8404a2b1ad5e29450251f88f74e193e30f4f289607

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2dffd527da42c68f50ed83dfb6fe7ff6

    SHA1

    29dcc7ef10498c1f8aa1a8798992f5515af8f655

    SHA256

    beac727ed1149edd294e2f739f17fafdefc0c5a09b3348c8ce9e2dcd71c48c15

    SHA512

    c97fa41211d8a0789c61f6c2d0979702d84d17126bf5c468663c055ec5a534f2dba10a6628e80279af8a64f7dac86b7be8976d445d48dacb8cb188e1015c4e1b

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    25152ca31d2e4f205c6fe2332e09558d

    SHA1

    8255b2d01e1ada8f7fcd84726ae491195ca1e781

    SHA256

    b6d000cc3e0d52b8c277f914094a0f6bf43cf9d7e25786702f0af5e0b72b274b

    SHA512

    ff44ed23ec7c49d6b0f99dfcabd752174b3c9d9a2fd8b8fa5f5d8d21490b6397a31e0d7c5153dbe251180df9a2fcbf11586d1db3aa18dd553e7a488ef05113e7

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    57KB

    MD5

    a893fb1bfa595f4e58ed9f5192a08f01

    SHA1

    6fd6583d9956f9ba2314a220ded8b1ba9fcddff8

    SHA256

    be839cc38481eebf7bd2b88fb497099ae9120ecd857b52284c0de0dffd6fa3c9

    SHA512

    bc9df04086bf31858b48c2dd03949623c26177c1af20f3e1854cf097e962a56528c2c6ff41246f690a210403df360cb8130d53121ee605eb48351c23cfd066f3

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    57KB

    MD5

    755c82eb6269fc4004cc8f7f933b3021

    SHA1

    a89a1cbba351b45c912b2170847c17d934df448a

    SHA256

    e63389f55aae1c62ac9baa2c9aa2168ce88ac3efb913cd34569f47dac96785db

    SHA512

    7d6c33fdeb02be8fc775a1e004f7ff3871e3cd9ad189a614af909ecd2c7bfc65ebc320e3d0779c9fbaa5ea5829654da1c212c30fcf70ed46109b26bc64faf663

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    57KB

    MD5

    7e2e326ad3211ed8b7b6f1b2bdfeb59f

    SHA1

    5c22e666e9c6c3138144d802e896f8ef9663ced8

    SHA256

    e25d5b62b089d6f4155609f58003ef0d5f1f9b6114ed51369abd9f39f78a1ff1

    SHA512

    d155d9d9d30fc34dd210b751f0e802a554a4729b31ff05ceb51a605fbe9643b89edf27fb2654d4ce2e1abd96471bb90713ef8a459506b9573b962e778800c5d5

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    57KB

    MD5

    77649a6dc026fbd94fb403f5842f0249

    SHA1

    035978163bdd17f57856fce0e13773855b17114c

    SHA256

    0edbddbb65df507d2f8ec4819a303f1c4751eee25b56c726bd8f6abb039352f3

    SHA512

    2d9b0b7b3fe4e568174098492367dff0bb0a4ba6978ec59ed8441c0784c1cde12b180c4cf7143b19473c46b143b2d8f47ed02eda6bf4564be644f3958e6b36de

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    57KB

    MD5

    097e08d1be1ee38c8cf38f26f8328c70

    SHA1

    b5318a8eac94220f8b4222d5a2f2025a48fccfca

    SHA256

    575482a06b926609c5494f0c33d28dcb4a22ca4f88223faf425e1513496dd706

    SHA512

    9427a56de073d428baeb2daaf7ed7453ec9b62df30881dd2e8e3cfcf55cbc1c09157bcbfe35a800a43d97dbbbbd46ff6b9744696ce806e06ff48b52c1236d6bb

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    57KB

    MD5

    d9ce17bcf4896ec15720d7c97a4f9fce

    SHA1

    069810919f5b127a8760cbb74cf5698bd5ece10b

    SHA256

    27452cbce30f660e1f7266ebf07ac873019b72982883d3d0f9cc6000c4e4d762

    SHA512

    1b6e8f337e1242128974048323141b155b5e517db9327350b31c709396f084861e6fae1b4d0aa7095ad06a56865fafcd2b86c9fda083d6ba1eb6511880561138

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    57KB

    MD5

    bade66d9732bbe86965d624f271eaa07

    SHA1

    d4a4f3efe28ecd7ccb2aca2c7b3ebab297be1961

    SHA256

    680237033a78350914762918e26bf4bf88329a38995ab478ccfc4aa131cb9ce7

    SHA512

    5133c7351eb956ad484b9bcf8e102fcb8c1a0bf177f7c61825d3e3222670f702fd8adde3c5c6e175f2b6b145f33121f12ca67e4acfce05103437122592dfa7c2

    Download Submit

  • C:\tiwi.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • memory/972-379-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/972-394-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/984-381-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1104-368-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1120-166-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1384-336-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1424-171-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1984-222-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2120-127-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2120-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2152-280-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2152-323-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2164-383-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2248-210-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2248-96-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2248-396-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2504-212-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2504-252-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2652-378-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2872-370-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3100-337-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3124-398-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3124-111-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3124-279-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3360-341-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3836-365-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3996-333-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3996-353-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4120-187-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4120-173-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4228-356-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4240-354-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4340-395-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4360-363-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4360-347-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4472-250-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4472-276-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4528-391-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4648-305-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4648-399-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4648-117-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4772-157-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4772-162-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4964-321-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4964-123-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4964-400-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/5012-397-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/5012-249-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/5012-103-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/5092-330-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/5092-340-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download