Overview

overview

10

Static

static

3

7c7ba94281...0d.exe

windows7-x64

10

7c7ba94281...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe

  • Size

    91KB

  • MD5

    685403cb101fb109846fc08743c34d9e

  • SHA1

    308996254958dbb83bc768873dec55f7323fb35d

  • SHA256

    7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d

  • SHA512

    54235ae168dfd55721032f049eb876d004e1f4ea7704a99be46cd0754f6bac8da0b9adbe6598d873c4501bd6599a2812ec82688468dd6ce0c647e5b2bc44f8b6

  • SSDEEP

    1536:IFAutcCNS1mgnd2y1nrPlGiCcCBEulwhFAutcCNS1mgnd2y1nrPlGiCcCBEulwu:IpWC4YgBPlGiyllOpWC4YgBPlGiylll

Score
10/10
gozibankerdiscoveryevasionisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe
    "C:\Users\Admin\AppData\Local\Temp\7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1820
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2556
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2632
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1464
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:884
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2952
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3032
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2268
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2692
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2392
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2860
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2152
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1640
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2344
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2792
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2100
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2656
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1476
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2956
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1808
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2288
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2084
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2500
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1208
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2744
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2352
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2200
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1956
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:288
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1520
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    91KB

    MD5

    6276a658a1d5ddcd7a3c5816c2cd6187

    SHA1

    75963e754c5e705a2fd6529fe7b44c8db81517fd

    SHA256

    2d7422c3c5b1f5f2838486e837c6d39ab98a078d7b6ecf3eee5ed3cfbf997b8a

    SHA512

    c268867905cd78be2b72d3c193a96e96d35ad6fe7b0916a00ac0525214461466062ea8878e1d55cc659191e649c29cb325f8a8dc877725646e9a27cc24893442

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    ddd7093039e40b095b02e0d4d4a5afd3

    SHA1

    496b292f74d288a406add7af6865620e924d5edf

    SHA256

    99d546ec5220a261ed18166943ca486a24aa9021f22bc7024b8f1c98d9616265

    SHA512

    9fed7802de0b58113573f8817a95264ddd7ddbe32531a904105a5cba0329a8bd31e2a4e430e43ad70a580240626dd75a73701c22d4c815543c87cc5a529835eb

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2c3f250ee2335f981d08ab0ee7ed78cb

    SHA1

    c6c1873cfb0c477a11047a2d7a8d70347686e67f

    SHA256

    0c14308483cc46cfa8f29645530b97c2cf471932fed81c927a3d86a950571800

    SHA512

    ad1c50deec00f5cc2ba03602528f55833eada3f7fc25328c3ed741b722fd8909959ffb54a4c9706a5a1c64d951089774915abd1c59d55c09f09383ab07ace0ed

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    96d33e2696a9572364e91b5ad6947671

    SHA1

    cd1be159f3712ad763466c26c1e2dadae5e8dcf0

    SHA256

    589b9f3ad976cbc132b701bc7b4d5eba21fbae3c494a776f113c7c9184fecfcb

    SHA512

    69684dc8c774d5fdec99dbe60bcb5bd958955fb5c87a90801cf868326df1d50fe976e945a14c7b1a6acb1f15dcc6ff26082b2eeb3d2c0680b4129b8a792c2c89

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    1fbaba02791edcbacf21a66ed814bf34

    SHA1

    ce733634a5a84f84f80f2b33278adbf066c3c648

    SHA256

    5747c7fd09f19d95db1157bcfd4732b9dfc0538a6a0f7629adf25acdf90729b7

    SHA512

    21a0690de2a71a6c11f2fe3d2501755167ebdc4ed5c25272385488f9cb19739a5dc767119b95df5513a64647b5fa412be4c06e9d66e512933a9892fe20314b49

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    7bcad44b4eab8e41777aef15836d7fcd

    SHA1

    4057437cd37cae68c23d0c2513c298d6a8f3137f

    SHA256

    00396309fd00691b1b39456e07dc1a2a4fa72f83141b26061432d2767de41305

    SHA512

    6c0eda11471bbf479441c31dd6b20a187a4466765b90679c1583b6c317c58e4be7b0c93f7a6d8326e0e6add1ccfd8f5f2f3fb962ed16c3ccb702c63fbb558849

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    98770412a56e104ddfb87ae6340b1093

    SHA1

    4b60ecf99f45e1fd07adf47f3b4e05ade8abe097

    SHA256

    973cfb62fa06d8df693284dbf4130638dc1defc14c535cb11a45880f0584c1af

    SHA512

    a84524dbce338197bf0067f656c1dccd51f94ae64ea4e12f64a8ed4b781e380828e56e2ec45cbd7fdd797d4b6c402085148c268a4ec328b89faa7a4bca907660

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    334731784ee0ecfbe313131c7d4f82fa

    SHA1

    3d887de450ea563f8cda61de122b30ec2639134d

    SHA256

    91d740d267ce3de2f8313ad243e65a34ceced27537018124e41d239ad189788a

    SHA512

    1ee44a36f587f806309aa73bca072b5daaaa0f1bed208c81eee15d1ac1cfb4b450c3288a2dabd807cab594d977b27c8fc26f6dcfa0be40cdb11a6576d282a4ba

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    685403cb101fb109846fc08743c34d9e

    SHA1

    308996254958dbb83bc768873dec55f7323fb35d

    SHA256

    7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d

    SHA512

    54235ae168dfd55721032f049eb876d004e1f4ea7704a99be46cd0754f6bac8da0b9adbe6598d873c4501bd6599a2812ec82688468dd6ce0c647e5b2bc44f8b6

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    78d97ae526ad275331cd73401c322ca7

    SHA1

    c3f1af8d4510abdbc821deec68d72b97c58804c1

    SHA256

    ee76ee54808f1b57a9bf7f2cb44572c1e875d028dc806dbb749bdf58f12541de

    SHA512

    141dcb8c6c8303ad5934cb642213125426dd88c7adc8d83d92ee22a327482401cf2459578fe3100c391808f8271b6ed07398b561372be70c7d6cfcb48d70b77c

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    91KB

    MD5

    6537f50e383a4088fcfd5959e9af0fd0

    SHA1

    e4b42e64831cd1ecbc31b7a7a46d86af698d57c3

    SHA256

    c79e74521c3eb3bf67ee5d948be7ce8437e0ec543c93b62a652c9e5b6df0ca5b

    SHA512

    cc1dc4b3ac490d71fbe5a3e656a73b6d43952fb177aff57b62273ef17bf74667ebbccc35d174e50c930d81ef154a091c45961324bd00bc3bf76a037bdc8b8b48

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    fd1df0aeefedf3110c5217306241c0d6

    SHA1

    a690e4cc38e2346b090210d8357a65b057a65b2a

    SHA256

    ffea178baf3519beba99dcc8c21a52758f0b0f6fd7f4e06378b4dbeb05982a0a

    SHA512

    6d25e09de8f5370d14156cf0d9f20350355e727a7827293ed37de2b8c1d863ce679f4c0cc63d7c49624219a4a50f0539273ec8836c17e2841d727be55c2f1de3

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\cute.exe
    Filesize

    91KB

    MD5

    7c7e30156b3f12e26a8e3634583ac9bd

    SHA1

    983a1be7c6e748034259c480050a299d9488dfc8

    SHA256

    f5941b4e79274501ffdde6d10c14a4083707d9288e145e8d403d5c47b1fdcd3e

    SHA512

    ba71020b5294124a0bf39aa40b9d82cc36498642495b972510364cf1e28feffcfe0a77c57beb60a81bc58d4cb461c5d5a55cf5af3db4e3008116255fb013f681

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe
    Filesize

    91KB

    MD5

    b41f66adcd8c6e9e9c62954f0ac027a7

    SHA1

    107227a9684feaec0ccd6d5b2adff8962df0171b

    SHA256

    249c5f0328da33dc98d62d5c5234e0aeec1cbdad8cd2d9b970d7e39afc926e8e

    SHA512

    6374d2faceb4c8ee41399f683741ad19a0c8b985d0b0d8021769dd68c7e036741fb10b9a1ea0382b1663537f2528f1eb679006a2829873e7507346f7894554b4

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    254f1e6a26e7d3580fb663d6420f7a43

    SHA1

    91d8968a98855046e1bb2a6b8818f276b0fd1d33

    SHA256

    ca0421eb5e367302d5be392d1a89d0735612981ad2cd44ea3ef822d7d21c8f34

    SHA512

    83fb7b8d2783c67fa198a853e427c78f931750cbe98bcf5ae60a026826b06f4c56c8ad1feba1b415219fb5070a3923a75985f60892435a4ffc736eb6f39b06bd

    Download Submit

  • memory/288-224-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/288-225-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/884-332-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-537-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-499-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-484-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-531-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-514-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-149-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-361-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-472-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1208-406-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1464-307-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-501-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-530-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-474-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-461-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-536-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-364-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-296-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-441-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-500-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-445-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-535-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-513-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-136-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1476-515-0x0000000002CC0000-0x0000000002CEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1520-260-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1596-297-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1596-367-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1640-516-0x00000000003A0000-0x00000000003CB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1640-124-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1640-264-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1640-534-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1648-435-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1648-369-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1808-466-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-467-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-469-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-404-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-148-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-294-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-99-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-98-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-295-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-105-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-111-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-405-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-240-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-239-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-122-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-137-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-135-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-368-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-134-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-360-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-438-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1820-195-0x00000000004B0000-0x00000000004DB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1936-251-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1936-241-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2020-497-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2084-509-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2084-492-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2100-465-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2100-457-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2152-487-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-491-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2152-486-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2200-470-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2200-471-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2200-473-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2200-476-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-456-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-459-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-460-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-362-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-485-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-533-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-529-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-237-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2268-363-0x00000000022F0000-0x000000000231B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2288-489-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2288-483-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2300-518-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2300-528-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2344-396-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2344-395-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2352-463-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2392-398-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2500-525-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2512-507-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-458-0x0000000001E00000-0x0000000001E2B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-510-0x0000000001E00000-0x0000000001E2B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-263-0x0000000001E00000-0x0000000001E2B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-100-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-532-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-365-0x0000000001E00000-0x0000000001E2B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2556-147-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2632-248-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2632-247-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2632-238-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2656-517-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2692-310-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2692-309-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2744-443-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2744-444-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2792-440-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2860-407-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2952-453-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2956-448-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2956-447-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3032-480-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download