Overview

overview

10

Static

static

3

Output.exe

windows7-x64

10

Output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    7.2MB

  • MD5

    912ebadfef2b79a661c0fce42a1b27b0

  • SHA1

    f8c897682d6c2cc498cd2ddc96468a0c60fd5ef7

  • SHA256

    910d16a563b45f12c900a6d1c534e21bf5a0bb6a46485985ef6cd4eecd22cfa2

  • SHA512

    8a6ce1f9a00fae3238506b98bc34ee093a8d44974e51fdd4c6fdffaa78fc70c47c9006c353ece33c4411c84e6deba34a9a7f9e4ce7cca8104a1b20b18bb5ff29

  • SSDEEP

    196608:IYvleFwTit7oAsKbscSd27W3lXz2K47M2L:IXwTCUApPSd2WlXz21Q2

Score
10/10
neshtacredential_accessdiscoveryexecutionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 30 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 4 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 36 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 26 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Roaming\x.exe
      "C:\Users\Admin\AppData\Roaming\x.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\system32\wusa.exe
          wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          PID:1596
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\x_.au3
      2⤵
      • Modifies registry class
      PID:604
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\2399x0.cap
      2⤵
      • Modifies registry class
      PID:2868
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\BypassObfuscator.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\README.md
      2⤵
      • Modifies registry class
      PID:2756
    • C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe
      "C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2684
    • C:\Users\Admin\AppData\Roaming\ServicesTweek.exe
      "C:\Users\Admin\AppData\Roaming\ServicesTweek.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2512
    • C:\Users\Admin\AppData\Roaming\Troll~Virus.exe
      "C:\Users\Admin\AppData\Roaming\Troll~Virus.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE
          C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE
          4⤵
          • Drops startup file
          • Executes dropped EXE
          PID:1868
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:2244
            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE
              C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2636
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:2872
            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe
              C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Sets desktop wallpaper using registry
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Suspicious behavior: EnumeratesProcesses
              PID:2988
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
                7⤵
                  PID:1736
                  • C:\Windows\system32\wusa.exe
                    wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
                    8⤵
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    PID:2520
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
                  7⤵
                    PID:2032
                    • C:\Windows\svchost.com
                      "C:\Windows\svchost.com" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                      8⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:2660
                      • C:\Windows\SysWOW64\migwiz\migwiz.exe
                        C:\Windows\System32\migwiz\migwiz.exe C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                        9⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1368
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\VWYQFE_.au3
          2⤵
          • Modifies registry class
          PID:1808
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\VWYQFE.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Users\Admin\AppData\Roaming\VWYQFE.exe
            C:\Users\Admin\AppData\Roaming\VWYQFE.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2452
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
              4⤵
                PID:2844
                • C:\Windows\system32\wusa.exe
                  wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
                  5⤵
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  PID:2028
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
                4⤵
                  PID:2004
                  • C:\Windows\svchost.com
                    "C:\Windows\svchost.com" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2852
                    • C:\Windows\SysWOW64\migwiz\migwiz.exe
                      C:\Windows\System32\migwiz\migwiz.exe C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1812
            • C:\Windows\svchost.com
              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:792
              • C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE
                C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1568

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Privilege Escalation

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          2
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Windows Credential Manager

          1
          T1555.004

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
            Filesize

            859KB

            MD5

            02ee6a3424782531461fb2f10713d3c1

            SHA1

            b581a2c365d93ebb629e8363fd9f69afc673123f

            SHA256

            ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

            SHA512

            6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

            Download Submit

          • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
            Filesize

            547KB

            MD5

            cf6c595d3e5e9667667af096762fd9c4

            SHA1

            9bb44da8d7f6457099cb56e4f7d1026963dce7ce

            SHA256

            593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

            SHA512

            ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

            Download Submit

          • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
            Filesize

            186KB

            MD5

            58b58875a50a0d8b5e7be7d6ac685164

            SHA1

            1e0b89c1b2585c76e758e9141b846ed4477b0662

            SHA256

            2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

            SHA512

            d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

            Download Submit

          • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
            Filesize

            1.1MB

            MD5

            566ed4f62fdc96f175afedd811fa0370

            SHA1

            d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

            SHA256

            e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

            SHA512

            cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

            Download Submit

          • C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
            Filesize

            313KB

            MD5

            8c4f4eb73490ca2445d8577cf4bb3c81

            SHA1

            0f7d1914b7aeabdb1f1e4caedd344878f48be075

            SHA256

            85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

            SHA512

            65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

            Download Submit

          • C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
            Filesize

            100KB

            MD5

            6a091285d13370abb4536604b5f2a043

            SHA1

            8bb4aad8cadbd3894c889de85e7d186369cf6ff1

            SHA256

            909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

            SHA512

            9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

            Download Submit

          • C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE
            Filesize

            171KB

            MD5

            74b2a0f7b9638b356fd6d016f1d26e9d

            SHA1

            e7de80ef91c4072e68ec6560b84da68809b440e8

            SHA256

            05ddd7ecdde93e8d5f067a85e99b622f3c0431e367b3761a83f988a59871f0fb

            SHA512

            e6c07f15ee29250948c2b6767cf1e91416f1d3ee87e6e169b9f6d5b9303314aefd1857ab07f934d75ea2674ab674c32d247de5c5b38cfb792d26432734f3f8e1

            Download Submit

          • C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE
            Filesize

            153KB

            MD5

            12a5d7cade13ae01baddf73609f8fbe9

            SHA1

            34e425f4a21db8d7902a78107d29aec1bde41e06

            SHA256

            94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

            SHA512

            a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

            Download Submit

          • C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
            Filesize

            230KB

            MD5

            e5589ec1e4edb74cc7facdaac2acabfd

            SHA1

            9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

            SHA256

            6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

            SHA512

            f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

            Download Submit

          • C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
            Filesize

            305KB

            MD5

            20d724819f31bd89107b7b930ea01f7c

            SHA1

            ec65940fe3e30d3309e232267c000cefc047e42e

            SHA256

            41d6a7e9725262e1c055b5979b4e9ab4b5585e5f3760c3edd5f175552713b365

            SHA512

            16dc256250c81df50a5e270c5a9c24dbfd9a04c258218e0cb96179011b4724426917b16c7fa0f87941f4ab7e4150c6a7bbab4dd11fac1c8ddde2602d2d259fec

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
            Filesize

            228KB

            MD5

            b19c2fa49e278935e6a3087fdd0da46e

            SHA1

            04a5de16b6840a8fe68753028bd2ff20381ed720

            SHA256

            c70151fc7fb7d461ba596455bfc7e79e199a3c0ac766c5d67f9347b39e20b7b9

            SHA512

            0399a45ee6a87d5899020d4106bc6ff521285b34c61afcd4929b6274166f7585c01749a1ee1814e82c90a5d8deb1dfa28bde6b105029f74d33f7a3e848d0dc39

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE
            Filesize

            2.1MB

            MD5

            6b63036a88f260b7a08da9814cf17ce0

            SHA1

            cac1bd549343a1c3fcefacc2d588155a00c4467b

            SHA256

            8f9fb3c2ce132a64e157738feaf82bb512ec03d03fa2da95c26470defeef513d

            SHA512

            383b8676a85e0f2447536bd15019c23bed15a51d633dafe5ac7bcbea75d8064ef9fd938461eab25df7f3eae3de18b87640e8cc12e95f7b58de1209937d8da284

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE
            Filesize

            3.7MB

            MD5

            525f8201ec895d5d6bb2a7d344efa683

            SHA1

            a87dae5b06e86025abc91245809bcb81eb9aacf9

            SHA256

            39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

            SHA512

            f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
            Filesize

            606KB

            MD5

            9b1c9f74ac985eab6f8e5b27441a757b

            SHA1

            9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

            SHA256

            2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

            SHA512

            d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE
            Filesize

            1.4MB

            MD5

            5ae9c0c497949584ffa06f028a6605ab

            SHA1

            eb24dbd3c8952ee20411691326d650f98d24e992

            SHA256

            07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

            SHA512

            2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

            Download Submit

          • C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
            Filesize

            1.8MB

            MD5

            fc87e701e7aab07cd97897512ab33660

            SHA1

            65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

            SHA256

            bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

            SHA512

            b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\32.cab
            Filesize

            47KB

            MD5

            9dda4db9e90ff039ad5a58785b9d626d

            SHA1

            507730d87b32541886ec1dd77f3459fa7bf1e973

            SHA256

            fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

            SHA512

            4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3582-490\ScreenLockApp.exe
            Filesize

            1.1MB

            MD5

            ef7a9bd97bec8a6070b2b99053d54ab1

            SHA1

            2ab06b299df7896555220b5fc5f8924a8fc901a5

            SHA256

            50814f4e49e5150e41fc9a3e4bd3145b27043d23f5d72780cdfa956df00ba8da

            SHA512

            1c0b3f06317ca0916a102eb374207d9ff2f9ba2e14f855e9296d104ed4ccaf7f119ab44c43f492ab36269b3e1fa3f81c19cb0f661ca33bf2e1a2a400d4d989d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\64.cab
            Filesize

            49KB

            MD5

            8cfa6b4acd035a2651291a2a4623b1c7

            SHA1

            43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

            SHA256

            6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

            SHA512

            e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\888.vbs
            Filesize

            560B

            MD5

            7b86ae37b45d197115f7ad60fccb4936

            SHA1

            78c17c59d5a77770317f0628be347183f46d2473

            SHA256

            9d5db32220ae590622389eb07ac2445dbb64e24127606227df45facb2add5912

            SHA512

            bca2effdadd852e51181f5105b14232f138a050edf2448db331b895c82a8b7c5d66d4aa99e2ad63d9980abf87c265553ba1477a5285c6fb8a071b65b8ea91c23

            Download Submit

          • C:\Users\Admin\AppData\Roaming\BypassObfuscator.bat
            Filesize

            90B

            MD5

            b66ee906b7e069d7eea40fbe49377c08

            SHA1

            4979c25663ef93e48f5ac814bef8a8a383bcdd7c

            SHA256

            e76f8325db6e3d63a9b7184a173bbd017d756a980ab0cc0ac9b109d36ff8cdd3

            SHA512

            6a0e5d41cdafb1ff3950edbd3c5a1f081c424156bfd2a3903c3a15b849e292ce6f43e90a07294f3ded1e34669bbf13a8847adf42b9fe91417aa597718a045f52

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Lock.Media Center Programs
            Filesize

            8B

            MD5

            de6fdff1993c731e52e49d52a6e684d9

            SHA1

            120d1ff8a24109eed24ac1a5697383d50bcc0f47

            SHA256

            645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42

            SHA512

            99d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Lock.Troll~Virus.exe
            Filesize

            2.0MB

            MD5

            c75b522f51f5c61a6b5d89f0df049132

            SHA1

            68be3459d79d15a27568e2a89c174cdfd35a9092

            SHA256

            e188862739a2340428088e76fd0ba0129993b4d31b5ed7f22e58dd199de75247

            SHA512

            a8ce2fe13fdd8f97821fee36a26c45235e4d0450dfabe7675ba6c95b228defa38c62d3b834b94c8de8502be2851d568b9683d6622be6b559ba259033aa0ec9d4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Lock.VWYQFE.exe
            Filesize

            741KB

            MD5

            04dcde1392345bfcaa47488d4ca8f9cd

            SHA1

            853e185ce326ffb64b5e36e84a258efdacb1986e

            SHA256

            14ac047984781bbff0ade4ad1a9f348da9e23a38141ea71a5fb0e11592ee3d14

            SHA512

            c619f964219ea139417b55edc578215a37da7a6636f9d102ff003382d2daa6e80dbf6f8553a7193c89355a5dec1ce4dba65e3d66ee860673daf4c89eda7364c3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe
            Filesize

            1.1MB

            MD5

            f70eeb19a96e3ee21b289e86ac97700c

            SHA1

            3b99ffb7ac3dcc18bae898f379f869128d31a03b

            SHA256

            82e0a977f2d2454ddb0fbaa8cc3ffd103eb4be453d2d1a176751e4e3b1ee93ff

            SHA512

            8d4d3efb42901f59d26835f4c903155bd49f7176aa209d7f4a2714fc2f76b1ec2c91ce58a34e46500b757e3fb068cab854557ea88c1b400475b0974bcd6f4915

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ServicesTweek.exe
            Filesize

            208KB

            MD5

            929bf3d80c2ce1d445d4ca30edcf447e

            SHA1

            d130cf65f38620d0778d5fe9261afe9f671c2a99

            SHA256

            1431e1602f424e8489dd9d5567ccc695946593addd2e458f80ae2647c1130d9b

            SHA512

            4ff86591e9d6421a1aa3af1d78580ca86bba4d98bf618fd4d6735df09fa95b8df97f06b4c28f582fa861d6b8b016c7ebd11bdccee0e98118c96dd9e52f2c6fdc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE
            Filesize

            42KB

            MD5

            ececf31c293ec9dc3cc02e9d81568c8c

            SHA1

            f67678c2148fe8591c273944d47315c1059148a8

            SHA256

            3e4fb38a38a0f01e75f361f7280ad5cf8b2a5715ecbe86b2dc889161f9bf7c26

            SHA512

            b0850df69c0a10bc804409a57cde2bcaee1c34cf36a6fc84b390fa7163023280215327808db084dce343b0d158188577360931eef8ddea29622083933603f104

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Troll~Virus.exe
            Filesize

            2.0MB

            MD5

            18316e2ce9dd5c2117493f4f2f4e72d3

            SHA1

            55bef85ee50a863f3658db6ad692a8ba11d29923

            SHA256

            e23b7014e4497e9111c3ac5d31420b6e04ba7d8939e8b1de02e3590c1176414d

            SHA512

            0cb5ed138440698b065a55c13611c3b09c1233e952b10380bc8396715274eac5b374f8e7a56b1695e476dbb0321e08204e8a7aacbfdde291574ece3d0a3a92bc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\x.exe
            Filesize

            741KB

            MD5

            80041f5a17c53028f8603321de845061

            SHA1

            33a25cbd6cabca83c78b6f0e668f64d5a096f29b

            SHA256

            0370fe07f7a6150a7d7acdbd9776a3c0be85620ea00bf625701db6cf02f458df

            SHA512

            9ea6a75518490e6ffee822b69447c9af9beeacc68aec271990cb0561f02766e9c367e12305ada485f4a0359368ec269542c630f52301292c401f114008524dea

            Download Submit

          • C:\Windows\Logs\DPX\setupact.log
            Filesize

            6KB

            MD5

            79dc5c6df2c1acd3f1421b6cc6049a95

            SHA1

            6c3b6cf9f4bfc747511a3b0d950f42f08a2453ec

            SHA256

            04338bd9cab6556a0568cad11362c6c93bf9c84d098eeeb918d3acbd9e39a439

            SHA512

            b3c3e9b95cf9481fdb49293a7494d118d5d1e752edb9575530bc7d889db2092bbefff666de478c7aa4432900e86886a79aa9ea5c14d1daa53b1f07b2e3844d48

            Download Submit

          • C:\Windows\directx.sys
            Filesize

            145B

            MD5

            76ce8301039fcb0e4b63c7bda0f88252

            SHA1

            e0fcf052893e5944cd4ebbcc4afaf50ad618666a

            SHA256

            c18039e6d62f2312c8be13ed419528c5607b12699502f23b71167cc5fcf20635

            SHA512

            11707a4f21e3fd42d09d83a1aa096365acc9591153d90357edbcbcf806c7ee6b2e044c3c88276d064c05b9ba9c1010f399806d03f1d5d2f17449791e8ffef383

            Download Submit

          • C:\Windows\directx.sys
            Filesize

            176B

            MD5

            080d512adaedf053210e217599893794

            SHA1

            db4fd9ef7b4db72fb4c5fcaf3ef37164c0247059

            SHA256

            fab14f31e8f9d12d92b334eb50aba3364240b8610a4a83863f1f2c453510c0c5

            SHA512

            247212947a8be0d0bba05b09c3867777dc41824991bbb08ed3a1f2b321d047d3e756f383ed43d48f2b3c2bf4e1a572bcde4f9020a50b0981224b18bda1a5df1b

            Download Submit

          • C:\Windows\directx.sys
            Filesize

            217B

            MD5

            5dd92122f7add0ac570ed3d7956179e8

            SHA1

            5facffbfad14560942f3e5bc820b189331952e43

            SHA256

            fa361d461fcb5bbc569e74a5bc9ce6ff8139051f9a6be102c358247b28e8342b

            SHA512

            07b042362802fcc381c20717d9001282b4d6b42e0d534ed76c1a3de87d5b4935c1cd28e491b48576f9d831da28b4920767a30b204809cdd70527269e5c2c3bdc

            Download Submit

          • C:\Windows\directx.sys
            Filesize

            314B

            MD5

            91d42c8104fb438f4070fe49408cc146

            SHA1

            ed01ec9e4d4c8f1f6544afb9d5653561f6a344ff

            SHA256

            d2e45bcab5a769fb7ee21690e4c8b5c9fe96a5cd30d78fa84d30edb223a7fd88

            SHA512

            e354077c8315e5df7e52b1b50d85f515c4de8cc6fdb27aa7735c43e2f30aa61a4ddb5d33f0f49812838d02a85b2b3f056732e80cc99fc9f178e7de79aa26c554

            Download Submit

          • C:\Windows\directx.sys
            Filesize

            88B

            MD5

            ed345ace8d6c733f03c96da4c0ddf47e

            SHA1

            918d319ed456354a0263ea80ce2ae08b7bf30ac8

            SHA256

            fa1622169a2006a708f3d9c0adf1d8ea864f41d0817b50b6f4a834ac34f9e9c2

            SHA512

            d3b92bdf6031412f1ae9d0c250997213fea6038dff96ea2901234c7dc3b99282d774c3273625b9d0e84e806b5c609b571cdbaf2d90279a6cdaae5d200410dbc5

            Download Submit

          • C:\Windows\svchost.com
            Filesize

            40KB

            MD5

            8c82da886615880591097012f5c495e1

            SHA1

            e967cbe5bb33fb4ceb302a079e707e12d6ed013c

            SHA256

            6e8e9e3190510366c4f76ce47911d9c91e56741c282ffd897bfb9ca32e4aa9c6

            SHA512

            418c0a2aa43c4001ae913ac225596d6fd6c6e39361d15d602152517805a0e6421ca10d87ad582136e11b290aa3627ddb9032fe00f0041720e8d6105f0b93c54a

            Download Submit

          • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit

          • \Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE
            Filesize

            1.9MB

            MD5

            0a38ff490ed8cf0cba13acf59f6d054e

            SHA1

            884cf0894711f44556312441f71c508e3f2f7fa1

            SHA256

            2ae2797f7f6543788cc7fd1ca7a89a17a9cddfd28af3f13515c8e521126e93c3

            SHA512

            bdd476f5509d758ac5518d0309e213fb5005ced349e452f4fe185b643264d84771be70d4901eeffc1c335ee584e0329bb7edee162372b8214b2d3d58036d4611

            Download Submit

          • \Users\Admin\AppData\Roaming\cryptbase.dll
            Filesize

            106KB

            MD5

            1deeaa34fc153cffb989ab43aa2b0527

            SHA1

            7a58958483aa86d29cba8fc20566c770e1989953

            SHA256

            c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

            SHA512

            abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

            Download Submit

          • memory/792-343-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/792-377-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1136-247-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1528-106-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1748-133-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1868-125-0x0000000000240000-0x0000000000436000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1964-3-0x0000000000C40000-0x0000000000C50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1964-1-0x0000000001180000-0x00000000018B2000-memory.dmp

            Filesize

            7.2MB

            Download

          • memory/1964-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2244-292-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2636-272-0x0000000000DD0000-0x0000000000EEE000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2660-341-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2684-376-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2684-342-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2784-57-0x000000001B590000-0x000000001B872000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2784-59-0x0000000002790000-0x0000000002798000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2852-330-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2872-293-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download