Overview

overview

10

Static

static

3

0ee3386607...db.exe

windows7-x64

10

0ee3386607...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe

  • Size

    52KB

  • MD5

    e51e107f9ee3de6202449d7ff315dcac

  • SHA1

    40eec8327696857e7f28a3e22346a76e00306a10

  • SHA256

    0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db

  • SHA512

    8e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10

  • SSDEEP

    768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wpkfw:IzaEW5gMxZVXf8a3yO1opwF

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
    evasion
  • Windows security bypass 2 TTPs 25 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 30 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Disables RegEdit via registry modification 10 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 28 IoCs
  • Modifies system executable filetype association 2 TTPs 62 IoCs
    persistence
  • Windows security modification 2 TTPs 30 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 15 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 35 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
    "C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Windows security bypass
    • Blocks application from running via registry modification
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Windows security modification
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1920
    • C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2604
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:464
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2144
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3000
    • C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2748
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2252
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1860
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3052
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1704
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2192
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2128
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1888
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:872
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2728
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    52KB

    MD5

    7fc249f3fef92d8c151aaf4fbfb58915

    SHA1

    2c56c47a74d02060b64ffef556d52254d03bca86

    SHA256

    bcbfb9c0185024ced6352f73c907214d132d2b2a11cffa7360e5f6e27bcd6f8d

    SHA512

    9fac9331a8f2fdc319042965a50dd409f94d6687e602dd337dfc7ee04d0bf3ff437caf26f9cc4d6cdcf9c42c1693883d38cf117731aa869700931c34ef454f7a

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    52KB

    MD5

    a175e67950ae313469cf1ca8015e3311

    SHA1

    e746d6d03f60d46b457fc24a93917aac6debdf54

    SHA256

    e1163c44b555a6d17a33cbd87a73b6d4a1a65bfffd3c9ddfd74e11f4167e8d21

    SHA512

    0694a9d127c542041c93f3c814169055aac01754fb774a2655b3b1b409f8d698b5167c0afd60adc24747772119202fb706acb720618fec45c5d7041e7e9cb096

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    52KB

    MD5

    fc34227aa6f4d58562123dfbe68ef56e

    SHA1

    d16cf98dde38cc416600056645622b727e8f4ef0

    SHA256

    3d2846c55f65daac4b97b7ffed3fab6403498e38611ac41143dab4bef23a4cf2

    SHA512

    3b7cf9ae7cb6d536e7af139dd24d2315c7de72bdb3950edeb6d133cb3c2d89c1af8bb7d763897a1ac90c35ca28a9616bcfe573d87ee8136ed35d82a5a0056847

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    8833f8916d446807aff756f328d50999

    SHA1

    4d8226f4a5742b1ed0b17eb10984413d074020b1

    SHA256

    44aa2d7bec64b0bbfe80358b9a56b9a0fc5b8725912094918295b4ede8031fd9

    SHA512

    e0a347de8c0b1008255064f82851cdbbfbf3a956ee56f860197efa26b733ba97b26a25dbdbb14e5558b4e19f4de0ddd6ab8b4b81d3a9ed267ca3c36164df07f7

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    3b21643ae4152eaac683d5be4f6a2753

    SHA1

    2414896b77cef7471baba1498abd40f2a45c449b

    SHA256

    e8273c8fd36cb24072cc1feee6874592b1d28a440e590822b5e4b6938c81da0c

    SHA512

    398caee9587aa0c12419d8864273a77b495d91a53ed34a7e4ca198910fb271b5f8cc78387ac7e3a25e108e438539116fc163a65d167c6b44124ab7a07532a3ff

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    9350b0d7845b1209441a25702196b3bd

    SHA1

    94adcefa67eb5fe376593465e1eac3c642175cd3

    SHA256

    57d2faee5ecfd47766e265f76f3164213fb33e26e4a85853b80ae93cfc1c2ea4

    SHA512

    2b9216fca9cb695d383de63f15b48be1fd0d060dd4e9ba4162508d5ecced47d7f8377fd411079a4cb30990b06b4f9e91e8ba8aca9b1717bd2d7c381aa817c262

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    0256b3404be50885c765013ee3bd763a

    SHA1

    dc0b77356aea6e0cf500a234f889587625ca2939

    SHA256

    d0af4bedc22b64ea80330c5284f40fec710e7704f6ad0799b9269c6a7dbade00

    SHA512

    c7f3620cb13305acaadac7b7247b58feed7a0a64375e53038326940bd0605cf21c1bbfa88ccc04cf168e818a698841690f85d0560629def2eed57f9fa76b9618

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    e51e107f9ee3de6202449d7ff315dcac

    SHA1

    40eec8327696857e7f28a3e22346a76e00306a10

    SHA256

    0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db

    SHA512

    8e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    6ef0e19e78a98d6a802839a6d6d29cf5

    SHA1

    75439911f4a549356b5d32ae5478391297afa9b9

    SHA256

    1c152e4d425d2e7834e25acd4ab8f578189e9afdad1dc7d0374a1da7e25e7a8a

    SHA512

    e3eab88309320fe50940d5c61ce45391e0d9cc6f0b72fc9e0e8258de186c7a97654f3338c89cb535666d9c7dedda47928937773ede22f05c0e8f25c8d15da159

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    6d56963a08869d6922fb1ca0880c30ac

    SHA1

    482e7cc59499e82f071b2f144dff64eda3dba100

    SHA256

    50905e7a2b67e01c579569570f26bce4385ab3b38357d951c17887e9eceeba50

    SHA512

    c6ee1447007e63d084650c65ff7f629d18be29318a3dfb616fca23164b624c7ae0c6c6a4dfcd38f4ebf203c10ca644c099cefafbff96be6a562826aeee71a742

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    ba7e17b70007df8c840107582c05ac78

    SHA1

    90201458595c0399c47360d36328e8189c5bff0f

    SHA256

    25091e7fca791eb987c4676aef1833b1763b7ffaac9548bc5c94791534a887f9

    SHA512

    37366484b94ebc3a85860e8a73b7deb49a7156e7462f53d9d33fa4e083fdbd58bb641fb514db607651461b0bf4699f5e542dddeee4817887dc0a7b926bd72d4e

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    a0f5fab3c2456d3776278171ad8f0946

    SHA1

    8fb747dab1377672071f525910f2fb2188144d7b

    SHA256

    abff5841b8641ae8b92b3b6dd6ff6c5c817474489e592c7845fe79f097073e37

    SHA512

    b0ef669f1dfb203f40604cd0c2cb7ee8b70c12a467d6e8a9a1faf77f66f73b7d6bf204afbd1eb46a895dcf5bb3e9d845fd960c7100431384268b0d159cf95556

    Download Submit

  • C:\Windows\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    3547c7903adcd306a8cbc1f66de2d173

    SHA1

    6cbe22fd0a26de98e8232374ec1810a87a7fd944

    SHA256

    fc12afa74c0142084fa11e3f50872ba347cc8e6aad29db819f8516e884cdd696

    SHA512

    80140330ea5df1f02200ddd00afc82f4d5cb8b633cee00046ddc5cca6578ff38f956dec1d44059059c8aca505533bc5114c74b1f06bea0befd80314a474a0044

    Download Submit

  • C:\about.htm
    Filesize

    2KB

    MD5

    94c0c5518c4f4bb044842a006d04932a

    SHA1

    23d9a914f6681d65e2b1faa171f4cf492562ebdb

    SHA256

    224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

    SHA512

    79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    07f44fb0146bb27ac489c4ab76d19521

    SHA1

    7ded6da194cf35629bbeb4060e3bf024eac7ac7b

    SHA256

    4b430d6d4a9d07a8fe80b56d6b29de7a7d91ba5266313f972012e0fec033463c

    SHA512

    8cbd380ee95b35858a1fc5cb46c61760eac93f4a5336d761163fb7c0b45e83548240e84f8f1499fa82dafe6caecb394c8e3317c633ca0f8ce656984463549a7b

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    34609799d72ba1274ae8f3b77c83beb3

    SHA1

    2dc1e3c8da68bb0c74e88fb787ff26a1a5769c1b

    SHA256

    7ed9eb8dd268b90ed8424eaea1d2d15f425a4f2960f5f073d06d24aa365f03be

    SHA512

    cb6621feb0a0f0bf8bb41c1f8f77295ce24e71e66c3b9803f50dd45cc362aa4a2de482c293ab0f3b67fe285b65e433b802cc18cb66bbc7f453f1548bc78dd000

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    7c90ad235948c06cfcc814fc7a8af26c

    SHA1

    2d996d98839ad64787ac4d22673a29bdbe5ad88a

    SHA256

    f36317ed4c2ac171c203b817adafe766fcb560d2b5de713851452e9376ef097f

    SHA512

    3d1ffada28ccc698d965ebeed76d65c631ec630e4a503a45346fc3c707bd29bf540530b85046ddc17b79bc5390528ae5ff3c0367c7df7c1f0b88db36dd859d40

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    5bd3d8486e3db3395815b899b8200730

    SHA1

    db2ce06a457ee6bba46144e282833d51b3a73126

    SHA256

    a3bd325127b749e6d0cea181d6d771384e428eec7451202d836af833044edda3

    SHA512

    208b59acbea303fd8b7a1cb6b0779303051dff49dc48e7a3047e2a232dc06755289ce78b861eefc5d29f1da3d2a9587ad7f17ff767f1fe758a810da3ab1b7e25

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    52KB

    MD5

    0a33d3b2fb659f0b40c492b9c342e920

    SHA1

    e74fe4155db315f899b265bc508607ffd911a30a

    SHA256

    ba4ff4b4a8ce92061e5dc4fcaac30d786092444d2a39e5eee9592b4dca715dab

    SHA512

    7831ed63bfcd4eeeb35362e37272c731aed07cdac81c7eabc2bd4405762cc3a7df9bc8e197f8dc45e56b7d8d9c65c87fd24a2c5c0c88af6d2f66194da71e9953

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    52KB

    MD5

    65a6bce2fa63a279575bda1e77e460d6

    SHA1

    ca452ede2f0ca5098792f58384d632de775fe098

    SHA256

    416847ed25463646c46f94ec80d6bf1900d0340f591132078a77dbf22738a0cb

    SHA512

    86b4c33643ca2bca327eea74402c9af56b7b0dca8f9166acd2a7e57302a128be6c7f00c8239bb2c6159670b2ca141a3b4eed403642ce316e3e8ebba12d1678e0

    Download Submit

  • \Windows\SysWOW64\WishfulThinking.exe
    Filesize

    52KB

    MD5

    0683c67833b465429aab08a1fd6ba2ce

    SHA1

    0e04315f3066469996c9aade8ea2ded0d8f739a2

    SHA256

    2e33b66a95b7f86e634121c27e9c5c1d25790c92b5edba93ce1d78c73d4522eb

    SHA512

    681c3b86ad1436c955d2bdc7497ad8b7a88467613236c9fb3428b9601fbc598476b771f2c0d52f5d48f528040c7e72affd1a40193bc21d08992098b12b4138e0

    Download Submit

  • memory/464-183-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/464-182-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/464-175-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/872-368-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/872-369-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1036-242-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1148-390-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1704-245-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1704-244-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1860-372-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1860-365-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1860-366-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-204-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-382-0x0000000001C30000-0x0000000001C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-401-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-397-0x0000000001C30000-0x0000000001C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-370-0x0000000001C30000-0x0000000001C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-396-0x0000000001C30000-0x0000000001C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1888-391-0x0000000001C30000-0x0000000001C58000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-113-0x0000000001F20000-0x0000000001F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-78-0x0000000001F20000-0x0000000001F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-77-0x0000000001F20000-0x0000000001F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-118-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-107-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-108-0x0000000001F20000-0x0000000001F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1920-97-0x0000000001F20000-0x0000000001F48000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2128-362-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2144-199-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2144-195-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2192-335-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2240-395-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2252-259-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2252-252-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2252-260-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2524-327-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-251-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-249-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-398-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-152-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-236-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-202-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-257-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-246-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-80-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-250-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2604-151-0x0000000002400000-0x0000000002428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2728-381-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2728-378-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2728-379-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2748-90-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2748-358-0x0000000000470000-0x0000000000498000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2748-375-0x0000000000470000-0x0000000000498000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2748-399-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2748-191-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2796-388-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2804-377-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3000-281-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3052-322-0x0000000002570000-0x0000000002598000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3052-194-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3052-400-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3052-364-0x0000000002570000-0x0000000002598000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3052-363-0x0000000002570000-0x0000000002598000-memory.dmp

    Filesize

    160KB

    Download