Overview

overview

10

Static

static

3

9a77a96195...6e.exe

windows7-x64

10

9a77a96195...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe

  • Size

    91KB

  • MD5

    02298bc71b17e3cc682468a9e5c9789d

  • SHA1

    ff10519760f8a8ca6b4604c47aefb2fe67f4efde

  • SHA256

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e

  • SHA512

    15d5cd9c9d154932a9adc98357f2f0b9fdd15e807a9544c68d312b183b5dcd9fef08436f8422d855be33bd3a538e0f126fdaaf5d14902697bd1c906cb0a84169

  • SSDEEP

    1536:IFAutcCNS1mgnd2y1nrPlGiCcCBEulwHiFAutcCNS1mgnd2y1nrPlGiCcCBEulwN:IpWC4YgBPlGiyll8ipWC4YgBPlGiyllM

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4684
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4812
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3076
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3680
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4816
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1692
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3252
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3308
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:732
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3352
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4444
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4048
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:5100
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4508
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4660
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4032
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3796
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4148
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4272
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2652
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2564
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4888
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1776
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2444
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1812
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    22c9e9d0c712429e5087305388156d60

    SHA1

    54ad610f0fcfe24b575e8c591c7c0d7545a101d0

    SHA256

    3ad348f5603210e0203469af0241b697cb4390827e41033da44186712a0d7d6b

    SHA512

    a8b87e93e4d7f6a0271d1edb79d4063329f3cd19d4d69bcab8dd218c3a8ac3c5d688ae0622b567aac68cd585892cb5cbebbc5cdb80b4e18bb185d86bda27818b

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe
    Filesize

    91KB

    MD5

    cfb6e95310cf5fff1f0d8a69897cd225

    SHA1

    1b8fa9e03ac4097be896e97a4c027c54932c1d91

    SHA256

    69148b05932dc12077329d110b61f4c297340801787692905b978d9231e47181

    SHA512

    af225a1902b0ebd6579cc1dee16195e6e2af9a24cf790de572ffc2fbecc3677d35395f8b6f25f540c1bcbdf13548a1ba2d324056614ea28af8be808763fbaadf

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    91KB

    MD5

    304fcb4ec1b72fe15fad845b16efe94f

    SHA1

    244afa4e978ba0fb8e7a5f53a5163be4a14b4712

    SHA256

    95e83cf11ba4beb7b7cd63988d1d9ff51277eb881e6bfd8e58f3aae430c4787d

    SHA512

    3ab9896d584c041256738f10aafa6b475be03c0cae799e8748635b977da1897b49fdd0137d646c1edd298e08524d833b3c334ddb087bead514377382ac631e18

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    07fe7c18a57b3708721fea1b825877dc

    SHA1

    087d641aa76a3a93a2df2e76cd326388c77393cc

    SHA256

    a075a46fb8e8d8777d2a13bcf26112303413ddd3db923fe2b19e906ef7a3bc6a

    SHA512

    8a028089efc620160c3af54f06906523d3b33a5703cf2ac1f253235471b65e85ae69850db7725d2763363441dbd6db3189660450a32f436f6dfe552afcb074ac

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    f574a8a09c503e23400adf1417e5854d

    SHA1

    4f8215a79245ce0fe53801fed2547d2b1169ccc0

    SHA256

    78bd2908b90297a8b527e1b6b8aae555b82f0ea8122b669e74add03f726730d5

    SHA512

    4d2fd3f05846bfe8c2c7da689c3618aa980c84117f7c3e9b5e5d6b39ff7cc42ea5de17455d16611599839a340d149e5a9297f94df78db3f21702c4cf570c080d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    3239f362579bb289f9ec6e88565c5dea

    SHA1

    ef9b403e43c32f576c08bc66282f19af79d0f915

    SHA256

    2db448eb47a09575c720446af1b7c32d8febba04bc325bfde1099c95afe105a8

    SHA512

    80ff3da45320b8f92b86b5a66a73308e9a549eb83c154fc5cf04aa4404adb2eaa1c75fe019fa7e55b575440ee0491cb018e222d6d6475ba13c9c4efab057d5c7

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    aad8845179757b29951022eebdc5b80a

    SHA1

    55a713afce95ffe87cc3621324939fec9cfceeaa

    SHA256

    fa16aacba7674ef189338023d021170e1da87084e303157df566afa2bf581bc7

    SHA512

    390c97c12ad3e3c6b3bb155c6d4490c55bd9498d008d7cda8884fd164ea61869bfcc148bb1062e3d03902a4c0509d76d6afbcd6dd7e9b180e7d8f596cb34a02d

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    465c148c6ffccb4c8e2bbbc24d0be1e6

    SHA1

    3e43e6eecdd04f6117cc997ae48ab620654efc25

    SHA256

    49b7ba3b8b82cf1afb77cdc3afa6f1c129cf02fc0fe68d0b1447bc197b2efc2c

    SHA512

    e4db3f56a0e491fd638713e9ff8550ace80c41cf4dc69373c94202b1d239fe18b15e5fbd46ecc5b857f15f5f0672997d2447abc1d76ba1377166d329c3b59813

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    fde38c3307e639ea70e7a21e5b64baa6

    SHA1

    4431219fac7860b3d906e09bffd5e498df94cd24

    SHA256

    a2e50e3001a0898424ddda7f617f6d96499902d8e5a2645e7ada04e78256d7c5

    SHA512

    ce1ad1cfe5327767ef597a7b2881aef506643da9c60dc6772ccb3dfeb55cb33922c791ce9af631efba0ba50103e5605ac83686b8febaf78dd49499bc85125a53

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    558de64b744c838c5ab5adb2a1d49b9c

    SHA1

    c8068cbb0dd8a26f6c961629cbbe3f04e79489b7

    SHA256

    0eb7405295b7ebb7ca8b9297bf3e7ec5d61277636077e80544e49958549d3b4e

    SHA512

    f2ed67a2fb65a72ea4a5fb30ecc63611c1fc904a77c1315bbc3469d64be1432e28368011e6d684a9cccda3e15739024d92f60a7f020c24b25cb678c181043bbe

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    81ad313c4dcdfdd835fdf72d2a59dc6b

    SHA1

    e96ed85d61bbe0f2790f5f2129c2896119f68115

    SHA256

    525e1c9337f7f78a50e595ed73f959bb19125a8fb3af261f9e0bbe9d61bcb1b4

    SHA512

    bf70710babbdacd73901d967c16fdbd652ae28048199439e0c59a96bf7c2bcefeed458ba524fab5c1852ae59cac60a7ba286c0c6e3b90684d125a067c1ad0eb2

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    135d0ebbf96e554be3f9f2eea1a2528e

    SHA1

    a1305d1e7c8f7e814fe0c4bfbacc46f53bc86446

    SHA256

    f15901a66883c6cd9e7d873fbac1e1e16c027189b503bd67fcbaf182cd0e806b

    SHA512

    c3d56bff44db84aacad8708ea758752d809a6abd594043f89ee6fcb2c3066cb441e813cc612f2c988626cfdc70c5619a0d9d8bac779efc5a60310b51f2b373ef

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    02298bc71b17e3cc682468a9e5c9789d

    SHA1

    ff10519760f8a8ca6b4604c47aefb2fe67f4efde

    SHA256

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e

    SHA512

    15d5cd9c9d154932a9adc98357f2f0b9fdd15e807a9544c68d312b183b5dcd9fef08436f8422d855be33bd3a538e0f126fdaaf5d14902697bd1c906cb0a84169

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    83bb8dda6192272b1dcb80a2ebd98f6b

    SHA1

    af96737beb42a9439b9ecb1e44cbf233a60d435e

    SHA256

    a9cbafd3883a64d6aade8c0b109c64a4faaf30329c20fa09c0f2f031bf1952c1

    SHA512

    a1f2c42728d0c40a5b827a06ed31709029cb51b5a1ebca251d4c730ed4115dde7ac5b4f446c81aa9279d4d83878f6787f1e3f42d0c565de949738dd357db506f

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    65ca024e006368b61ba66cbbacddd87c

    SHA1

    b38ad6130a29c724f2bf019ce0315abef15f0ac1

    SHA256

    46c607a15268aacd0b9423bef394b9f9d470030c691390725eceeab90187f3e3

    SHA512

    5d7a607f2848aeb8b0bb91d833880fadeb976bffcfad9dd0e784190ab153db9a1d26b939eb8de3b20b679599c85eec822a443e3fb99abb2a0bdb1c7f17d3cb88

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    91KB

    MD5

    7d372a09269655569a2fdc50ced0a618

    SHA1

    1fcd84a2f57bad118ede49087f52a43aa47cd91c

    SHA256

    d64c4d6814909d8f42f5eb47e96a21320889592370c4f99c3882471402f83f52

    SHA512

    17f4f29123761b36a8b473fc19f60377004b3008f8d333d1e397a282e2a7cca1a3986c1fb67fbfda8347ea7fa376cefb10e8f4aecb1e0c93748f7ed4fa94291e

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    9ee79b7c11d491f8175349dd70d794c0

    SHA1

    2297d9633f0be2881b007eeb607828e5bc346e4f

    SHA256

    7c2a0f844979427591da3c4443ac8537e9bee9055fd81a193774005bf61c361a

    SHA512

    48ce9537e1aee50d0f5dc23fef107d245aa317e879b22f5c79f5f7b930a71f3f4dd9c05bd7431f9fab577bb478ca9d31d1f7f7899001e15d89b9892dd5853323

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    7d0fc0e8dce328ff451025c1f29de9af

    SHA1

    7fd9ca0b73a807c9a7d10c00aa5484a44c7a8a8e

    SHA256

    184494029b6f835e3e0a02d796a88b9173d2163b62e9ff67e20c086c2d73b3c8

    SHA512

    ce4a7669c0b17627955004ff0b1221e9ace939a2b654a8ce9812b75df668be34cdc2a240210f2e9fcde6cf0338a670624bd84113da23e4ac42a0b3bb7479c8f6

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    d95c03ebd3c6eab53bf07f044ec29796

    SHA1

    9cbcd225e05ddd0bdc3710bb54535ba2a795693a

    SHA256

    27e9eab9466ad96fc03baed90f34e3ef297efdb63e72b1d64bab75ae54379d87

    SHA512

    f1becef49caaf1559cd70c6bedaf30006f9a5c60c2c505f95352f3dd7f6d68c1964b77c43fe083d0dcf13b10ff5c7674a6e09f691ee86163e02ba7e0d3e3498e

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • memory/732-189-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1600-351-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1692-340-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1720-383-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1776-366-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1812-384-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1812-379-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2020-209-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2020-190-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2388-388-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2444-374-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2564-122-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2564-398-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2564-293-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2652-369-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2652-359-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3076-207-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3252-362-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3252-347-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3308-395-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3308-101-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3308-268-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3352-227-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3680-235-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3796-376-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4032-364-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4048-396-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4048-276-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4048-110-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4148-397-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4148-116-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4148-280-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4272-338-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4272-303-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4364-389-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4364-393-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4444-275-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4508-301-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4508-281-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4596-299-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4660-342-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4684-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4684-125-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4812-394-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4812-249-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4812-96-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4816-278-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4816-250-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4888-349-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/5100-271-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/5100-287-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download