Overview

overview

10

Static

static

3

1285cc3f94...24.exe

windows7-x64

10

1285cc3f94...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe

  • Size

    351KB

  • MD5

    8ab266da034d68f83f6148e2e36610db

  • SHA1

    cc5bd0694a9e8e7007f8b7eeff312c8fdec833b8

  • SHA256

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424

  • SHA512

    c332e3e8427543dbebb0bd0de694028fe164e3cc330c131b8a463d3dd1ba5391efe921ee6d5690ffdc6a95d3f9714baab1c6d1142141086b1182eb2308115776

  • SSDEEP

    6144:V/OZplcYZplx/OZpl7/OZplx/OZplQ/OZplU:V/Mcqx/M7/Mx/MQ/MU

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe
    "C:\Users\Admin\AppData\Local\Temp\1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1964
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2632
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:608
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:348
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2120
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2548
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2244
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2260
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1448
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1808
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2104
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2620
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2628
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1196
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2916
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2680
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2800
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2972
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2368
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2940
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:352
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1408
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2112
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2396
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2944
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2256
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2288
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2188
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2440
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2908
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2664
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    fb718a47007942fc98fbe2cf9732fbb5

    SHA1

    28eb231e1bbe3f2620fbcc83b4a4d863c35db85a

    SHA256

    cf6141043aaf1ab4d7ac8c37274f630ed7f2eb4e7ebbb58b432c2cdac5cae2a4

    SHA512

    9f7d130111c6e9f746138a08377d3b77cf2bf81a7c3f2834f3faa85f43a96d7588d0993074d1b60556495aaf68ffa2ed9b6a5d76e1949353162b523eed0b151d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    05f29fea0f578a6b5d41446704c43591

    SHA1

    321e647ab474cc7b3a27fd7f75266dcca2b7c9e0

    SHA256

    28da3389bd4238cf4742ddff4cc98c2291fa276e5724715a0f0bfcd4c55b4747

    SHA512

    5210a1ee4f41276ee50a89b848ec60effe77f1ab4c4564224d125f437ebc6b82bd8860fe2ce7a77a68970767ad2f8a0a60dc7b9182d363fe4269021d17d1dda8

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    cacdb0d14baff5b7df19809aef125cd6

    SHA1

    5f7f399238172c4fc753e083b78de4e2d78789df

    SHA256

    63f41fe0b3f318c70481ca78bd545ccf49db1cb3f3093f6e9c4da5e6361bb4c4

    SHA512

    287d0f6c4617650968deeba0bc0f54878b5ae2a9a4424eafd10cc44db15c9935ff80252af0a675b30704878d3260c024df382e502a1fde8f3ec6b96058d183c4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    c58d18a75631842bccd113967981ffdd

    SHA1

    17a99269f4a403031acd1d4cccd6eb59f3c50ab2

    SHA256

    2b32b8546ffd1f898ec84ed5ee5fd5a953df68c1e3ab87c3e971c4762a7acca0

    SHA512

    30d10022da01ad6b11f1d892d1a66339c177cfd151896dba6fa01a7af248d897c2379073ef96bddc3182a2e2415841fd277c20cc604edefc01393ea9b1a2a8ef

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    4d62fb5742523f969a4002fb8c490b36

    SHA1

    cd806d44aa3f417645dbe099d8aeeae1e3358719

    SHA256

    e6032370a9c64d4538ee7a8ecd51ba68cfd6550b7ce9ec5d091517bae9274eb8

    SHA512

    533b019b40a06ed9993c7a9c77a53a82331e5fbc977a52ddb749fa019daeb14a0f65b9e8d40db7533632a3854ae7d0d8679bb35cf5cbdcbd66d2515953bbd44e

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    4d0c2f3d93044485f8ccf62e4215d0f7

    SHA1

    49e0342feaf671049bc5b9883d2c5b96bc8502ed

    SHA256

    f48bcb7b56c3ba226c0f0da881433837c568d4a2d26e32c059b88ed629e07c89

    SHA512

    5fee141cbbdb8d3f21c36b5230679c30d9a56535b026f9091ab9a97ba45d04143f1a92dce78e0a6c5de55b6211090d2848b7bc80d8af4a23ec3ac98110f22362

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    f06c93ee0913b676d0f70686147ba39e

    SHA1

    146b598e0d76f65983adbbee7255e63eefeb6a26

    SHA256

    2da4be4ceb16097de53cb17141c92d5748aade34817c27b9e304488875024ec4

    SHA512

    09ad023e9206d175ebbe6cd549908e50d2ce9b8fb2c962265bcda5372476b64b9b4b10dd38156c3c07247cb4809903520d73a1667644775f6a2b946c0e8e8555

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    351KB

    MD5

    48c89166e461e449588be6760aa0c533

    SHA1

    aa3b982f5b8ef95d25d99ec6211e51ecb8bc2c9a

    SHA256

    7eee47dfe336ad98a52e7d5fc623d4387a336ec7e6f270d13c6d1a729d0f094f

    SHA512

    64cd399753a3d2d38b4b8fd6239e0c3eefc1ecf6c5222a15acf99cd3b9ffa68e9884def2746f9dd35987cfee24bf225f2c266aa0940f88b4415c7e42793482e4

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    3259168b34e13268b1bb5c06deafd04c

    SHA1

    89091bb5bd7b6e7c922f5912aef622a20ae7fc7b

    SHA256

    0f40e1428162fc9bee5002a2d9c23efd9b1fb6bf9bbd22de6a0d375e96826363

    SHA512

    27567c548ccd70fd9f24d516acbd6c1584539a579871627b054fccaa1a7024f18ec096bcb28e76f108f7905eb5b3a8038ec937be1c40141331e7853c844e6d0a

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    74ab574140c1955354cdbb84c2145554

    SHA1

    cdb301b39e279a09b63d7e7545a3d94e9baab08b

    SHA256

    56b36a76631dd4493bd458140d6d2d92fa3a567617e6b0dd9a5d20b6a1d9a98e

    SHA512

    7f62a279e16482379943d9edce6ed278e10355d59c86d79f20a9c4e26ac9912c82b0b1e1f4a0851309b3245b7c5f3b9be66bba105b99db1ded3c977957c0495c

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    25b1aaeae702937c650567bfec92cfa8

    SHA1

    3627e8b6cf2277aca2c410d5b1a374b700a8885b

    SHA256

    05bd0ed6cd07afba1c9da089b0fc6e517f5be127278e4f37eebecbf1bf79f6b3

    SHA512

    d40f97dffec454876fd3e5b7a93093928f99efa831bf3b49e7c0cd917a88ee703fede1d28e559fae8ce48e7e064b41522dbdbfedeebb3a02181af93b8011083e

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    8ab266da034d68f83f6148e2e36610db

    SHA1

    cc5bd0694a9e8e7007f8b7eeff312c8fdec833b8

    SHA256

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424

    SHA512

    c332e3e8427543dbebb0bd0de694028fe164e3cc330c131b8a463d3dd1ba5391efe921ee6d5690ffdc6a95d3f9714baab1c6d1142141086b1182eb2308115776

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    05ab57f40813ad90d15f4e4560c2b44e

    SHA1

    217ac669c91aef4c36f70031a3efb399a110e91a

    SHA256

    486ae7ddc4daad563c3e579f09ca0d33e9def62a05f99a0f3e638c5911558c7e

    SHA512

    a05bf9610b03aa49ff0d1c2ae1a2f35506ab3ef5b28993cb6552fe7ed25ab8717e9fb384dddee8b12eeec071a3fccd351d5040d7f48c865f3563289d2d83483d

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    5908aacf252356857d962dbc7f52db3c

    SHA1

    523ee652bb1b569b8c15006fea10688b0d2a6f59

    SHA256

    437aece3de1274727971b56bbe4175c30f36964faac7be8c91e2add8b47f2d1d

    SHA512

    355518872b4b38e98ed65c084861e8ab12ab88f2a674d612236b67a89f67471da056850be18308f9b8d9b6c43ff3066a32a8e97361c9180a806855095d6056ba

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    351KB

    MD5

    eac2d76881345c670450620bb670666c

    SHA1

    5938143e5b22358126a534526f6c929981d6c840

    SHA256

    8cdd997c001fcb13a4a80369964622fb2d3bf5dea3dc89f6e7ce59cbee6936a3

    SHA512

    6b50404eaee4da45d20a90ab16bfc477cf70ed1fb198607fdcc8f82035659af9a172aff7f50fa7bc6ce55819ae6764f1e001e09222eba2335b8ddda2a68e43b3

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    351KB

    MD5

    6642f642763b24e61862f76305c056c6

    SHA1

    48a459c65abc131ae181848c0136663da5766ace

    SHA256

    4521653a32b04248a881c1dc149dbe7f1eedd5e0600d5ed6b9e7ce0ace43b6b7

    SHA512

    918c7ee7eed49981be9b0659c8d57638d897ad474a34b8612e963c52d0c806127c5495eadacc6e739185b869b79b56cc681f3b05570bebfed9769d26512bc804

    Download Submit

  • C:\tiwi.exe
    Filesize

    351KB

    MD5

    29ec2903e85a2c2796de56633cee6ba8

    SHA1

    71a3f6d834b8c93fe74e83a32c5c997be7bdb234

    SHA256

    e471362dd648a850bc8b05168c5286bf3aff2d669568a0a12243455803a15cfe

    SHA512

    cbcd68cc056fce76f20fe78aced6c8ffd0e7f1cf124b79a3c822cde06fe5e2ee73c277e8ac66e3191174e16ff1b8e568344cbbaa6da8e3f562500a2297db0226

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    351KB

    MD5

    00d7a0122e2099c3b473bd20504f408e

    SHA1

    21ec93802e6836556f73d0d9cbc8225ed6a7927b

    SHA256

    430f4ef0421f27f8c1c933debaccc6f933dc16be9b51970a62505692979591b4

    SHA512

    b11dd29415e835337994dc3f0d867263aedf44004a1c92eabdf968111b14e39fe9629b5a60fb79d20de29f81d650fecf3475e8e555b145cc8532ba2fbe598a23

    Download Submit

  • memory/348-280-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/348-232-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/608-224-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/608-226-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/608-214-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/608-220-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/936-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/936-310-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1196-446-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1964-445-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-412-0x00000000038E0000-0x0000000003EDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-228-0x00000000038E0000-0x0000000003EDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-98-0x00000000037E0000-0x0000000003DDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-109-0x00000000037E0000-0x0000000003DDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-229-0x00000000038E0000-0x0000000003EDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-110-0x00000000037E0000-0x0000000003DDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-164-0x00000000038E0000-0x0000000003EDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-288-0x00000000037E0000-0x0000000003DDF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1964-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2112-311-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2112-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2396-284-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2440-315-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2548-356-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2608-413-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2620-409-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2632-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2632-230-0x0000000003790000-0x0000000003D8F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2632-231-0x0000000003790000-0x0000000003D8F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2632-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2712-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2712-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2712-217-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2916-452-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2916-451-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2972-450-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download