Overview

overview

10

Static

static

3

1285cc3f94...24.exe

windows7-x64

10

1285cc3f94...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe

  • Size

    351KB

  • MD5

    8ab266da034d68f83f6148e2e36610db

  • SHA1

    cc5bd0694a9e8e7007f8b7eeff312c8fdec833b8

  • SHA256

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424

  • SHA512

    c332e3e8427543dbebb0bd0de694028fe164e3cc330c131b8a463d3dd1ba5391efe921ee6d5690ffdc6a95d3f9714baab1c6d1142141086b1182eb2308115776

  • SSDEEP

    6144:V/OZplcYZplx/OZpl7/OZplx/OZplQ/OZplU:V/Mcqx/M7/Mx/MQ/MU

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe
    "C:\Users\Admin\AppData\Local\Temp\1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3528
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2956
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3616
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4172
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2388
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3144
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4420
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4132
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:748
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4836
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4468
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3308
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1416
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5108
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2512
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2372
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4036
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:760
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3756
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2148
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3812
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2976
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2824
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:744
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3188
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1620
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:896
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4252
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    17ac6611f5285e424a6dda54af96acef

    SHA1

    a3fc0227a3a309db33806082010e2af20a197c72

    SHA256

    c95cebee18b7856605a77a6f4bf216af1df4f39ae5f8124d8d3d15369ad1f234

    SHA512

    1a2029d9c709a90e978cf3cd75c7e5d7253779550ed67288dc73d22b0e14dfd94529be2c84327bdfb50288d755ad21afa27e41a0214dc81e466cec6b90d6a191

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    b51019cc2d8502895d43164cdac39a4b

    SHA1

    a81f96e603d69f64c2ee335ad43f896feaf91734

    SHA256

    ec502f637f2e5f3eb8bad2707bf40059860f10d19b45fb6b65981dc5f7785137

    SHA512

    b0793fb1437e4bb36e1cfd6ff3407797dbb4f620dc1a1c7285849252bb74d81944e05c95a5572791b3e54428bbda6e586b5309fff5156869ba86b2f30f2eee7d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    9b6a6fb38e49ad6661ca9cf757e0ab1d

    SHA1

    a03c53afaa5a7d3ea14f3689f425e3fe42813206

    SHA256

    a42be31ce249c4240929a69e48484067769cb88a7f74dd6d207f6a8ea9cf94f8

    SHA512

    86f706688dfef8bbc63822102e3098d43f38677ab1f70f38f9ff35853a5783392d11443508e15b9e1f9516ee16e9c87e8c26d5662b6335c1ac0af64f8e7d1fd8

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    eeccc48ba42b974b8b7e50bdf3011e44

    SHA1

    e6d137122c07e615f128afaed0b863c0f1430f32

    SHA256

    dc2813714187c90c5336aee56b72c92db8f40c3c9598f4c655b7c7360ed1d9b4

    SHA512

    3a5a9aa0f2d3bad32770ac32f4b8b29f4da824d6af7b96b9b9305fca38b4965a887ad401d5316d3a74c9ea3e0578628b0b961cc2dfb6f724561888069d1621f9

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    c74eb3040bcbbe552a8582ab8782795f

    SHA1

    b71a6efc7ad5415b0a938da12d0438535a84faf7

    SHA256

    12789da617245accd056169fa993454be64e279082a6431693dd882efc2dcd08

    SHA512

    c6bf4927dac851ae547e35f214efc7e21cb9d2986b60dadb48e99b097b1625f02647bf5418b1f7971241f3f5a6c36861afbf6ec06da972f81aa060ea40c61645

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    28bdadd95bfd8efb6671af2cce3d9a14

    SHA1

    3ae1f5ca39f0b6610cde763e7fd7740535cb2fdd

    SHA256

    a6e821cf00c457d8541aecc36de167b1108323211a8da23f87f18b15ce66af37

    SHA512

    433859522ff8eb6c1334e535408833f74b193eff33cd2c8e73c1b0a50baa009dd161bf20328aadc5499c5310ca6fd298581277e08c4072b393b8cc3fd1d68176

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    7353ca65e0176374ee93ec78e971f360

    SHA1

    376e95fec9b70589d05ee68a37afbac3473ef5a7

    SHA256

    97a45ef925edbadafbadbf4c17579cf3af49360c53da0c648a42b055633d34f2

    SHA512

    8dd8b9cd5776923f48ef9891ea08fed120cd0ee72c5e6d431f21805ef1190ef89b22ffcc0a602fb61e8b13873a17be44dd71c7a022194f17ce266ab1db767dd1

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    208ff7ab3beec5022ae3a4af5045e5ec

    SHA1

    027652e13f44e327cf765458e37177cb142e47ee

    SHA256

    b121f9fb15c78d37348d9740f1bb8771fd0adfb9c90cb3d271e12ee1466310e8

    SHA512

    6015894c9deb294ade6ebdcd1b7a1e6e120382c7ea2d360fc729104b9c410035e4b51f7867f89d3d77a01bcf2b021f7ab3a2c5ff851841cf980c1f0f9987df34

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    351KB

    MD5

    5ef861ff402b17982d4aafe9e8c9d012

    SHA1

    a2be06674bf370f6130165708184b77f1919f419

    SHA256

    79fa5d41ef7e935e3f736a243c4b976c044111c2052411025b9ca37b07e77af0

    SHA512

    2effb92f02e666a4df4c937841fb139e60c341a430436ae8712d185e2e7dfd1d5067dcca7f2cb6e48a5e32a369b14e607f8677c2e91eec5bcdd6541b35c12f5a

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    7080031c13eb661b9c7d70bcedf846f2

    SHA1

    4b571f928e0b86f3029e0610d9021688570be848

    SHA256

    c7df078ec22b6b3ba42e37e485c64da68eb24f5f594c92f2f3c2e9cb7766ca88

    SHA512

    182a175c57ffbb1a989180f19fb3d9f30dc20ca1e2cfb2a438454bad6b4a79141c7c5adb366c651b98da92fb36a2be73b5af4bbdd5d7a9c478c8c6277e2d0b4a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    351KB

    MD5

    3e06a3910bcb96a6a3a0b678471f8cf7

    SHA1

    76a3f97d0d23034d46ca93ba81e9f1fb53922aaa

    SHA256

    117382ee1597f03e97f8e61cabb73aa198a7e4aa88d0f19dfc6c24be23fd221f

    SHA512

    13dd51fcd88d247fb278ee1d8642b0863aea7b9946187282ee12784c23ed618a16971e6870216165e50986543349a8e75b7225788d2eba7a33016922afd66a65

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    8ab266da034d68f83f6148e2e36610db

    SHA1

    cc5bd0694a9e8e7007f8b7eeff312c8fdec833b8

    SHA256

    1285cc3f94e48ed14fd51df9556ce8cd05146c8f2759eb1a947a626d2e064424

    SHA512

    c332e3e8427543dbebb0bd0de694028fe164e3cc330c131b8a463d3dd1ba5391efe921ee6d5690ffdc6a95d3f9714baab1c6d1142141086b1182eb2308115776

    Download Submit

  • C:\Windows\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    351KB

    MD5

    93e8d9b1e9c109e5d5c2c60b2e84a76e

    SHA1

    3b4a99076ee6a51c1023fcdb4aee90ca95611759

    SHA256

    a18677351b3b28a0f17c4e88e6171ddbcd5015b1c200af907f1cfa0ee56b96f7

    SHA512

    a6f287173bd994e4306915b233c10bc2b4535755097a25e8b9087482e015266663bf79117ab0f0959c0eba03ef9209f162b26e0d3f491330280000f6052d5d1d

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • memory/1416-319-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1416-230-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2664-203-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2664-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2956-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2956-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2976-431-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2976-291-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3144-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3144-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3308-221-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3528-416-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3528-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3528-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3616-201-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3616-196-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4036-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4036-409-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4132-364-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4132-321-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4172-280-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4172-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4420-255-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4420-292-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4468-197-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4468-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4796-317-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4796-358-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5056-316-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5056-271-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5108-360-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download