Overview

overview

10

Static

static

3

21a7d5e1c0...d4.exe

windows7-x64

10

21a7d5e1c0...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe

  • Size

    64KB

  • MD5

    87c3b910bb2e9f17682a4c59a0e46df2

  • SHA1

    07ab8e3432a872cf77aba14e042c1bd64cecb1fb

  • SHA256

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4

  • SHA512

    d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5XOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QGwJ8w2VS

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe
    "C:\Users\Admin\AppData\Local\Temp\21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:392
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2600
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1260
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2544
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2948
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2500
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1580
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2764
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1296
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2348
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2104
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1712
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1820
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1756
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2660
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2296
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2852
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2408
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2384
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2984
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2260
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2376
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2536
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2960
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1844
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2700
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2036
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2916
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2356
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    31e094ac8f29b2e52c94fef555d1c534

    SHA1

    fab1b592d2bc4e529b472b16cac4da3a5c0900ce

    SHA256

    b8b54a2d596717c2028735af9534aa97980788f94fea03f1ff6f8c46d078d933

    SHA512

    6452e6403d5176880f6bb41ebbbdad0a5586e9825c5a81168041d9168bfb2e287199639d6ea543e621b5338b9be62c79d3128f8d594be5138292ca89b0ec1f38

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    6ae17e008ba3ba89c7e159bc2be82596

    SHA1

    cd178ce5787b82e6869d839bc3a5da7de19aa417

    SHA256

    c5607de2ca90be8927de15d7d764a5fba34c4d479866e14f5ccf4a01a4aabbf8

    SHA512

    ed324006c53598a284e9db92aeefda41dda22a41b8d3b2a7f1092bbbc9193bdcb063145258d3fea49fc52d79439939f259886da81e93bb19fe3b451c40d4ecec

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    b728b718ee1aa62ec76fc35e7ceebd25

    SHA1

    2da484b567e897493ab9f43ed669cf053ae3a0c4

    SHA256

    8155b86eaba348f0c8745f3086f326b5743cee5981d2fefc396ef35508911de0

    SHA512

    4841ae813e1e1e1fad982aedb807ec869c2da7fbcf45ce50209d867077202308444d69b11e9175550c6b4dfccba4ed37b099bb3877a89c827581a4aef9f7581a

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    e9f3385d3bfded2c751e57f42266fa40

    SHA1

    de3384c6509d387ea0a4cb490533a7c06006f9da

    SHA256

    efd33d98af04ba0f779dfcd4cc3184bc32bc52248276028a7d9546ff863c8c7a

    SHA512

    c4f157df41630070ea8f4119bb6b142c976d0c4ccce8fce550992acdfb319782ad901be7cee5ba9e0757872ceceb31988af2f944b07f0e9b8a25f90d8eaa18ba

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    304fb61ea065450828227c6628b5eb96

    SHA1

    81f5a70ca627425b3a77547b36dde8cd3cb6fbdf

    SHA256

    76604515b1114b670b02a76055ad7716a73f910a6ae3aa58f87317b624e0fb0e

    SHA512

    e88d1e269f7e3e0d520602a9540420543be4274075f00b4f796cb59e2eac7b8d11ac60134e22533a703ff7abbe554d0024d034b323ed074bd9a5349f3908bb9b

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    8fce0175fc129d022f11d8767ac19c74

    SHA1

    359c7315f13c30e4fc0a5b47bc7632d19b8c7d83

    SHA256

    38dc3f58d8aa4e8b8e8a05aea53c13a21b9f4cf909320fe2d09ba1af227291f5

    SHA512

    9939817e0af59543f3a7be07c2a23795d651f497e08cc6055d98196bb9f6980b173272c34da89c26ade669811b7b3ca2955f63b3d8a12644bfc0cad73274ff3c

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    529ba7e3b3d85bb950f2513ecdc837e1

    SHA1

    b412c56760f25b6c540361d4c33d51fb814a23bc

    SHA256

    4fc14b5dbc2e9642c2ce9c65a15f62a89f49fea62ef4ed746d8bbb5c4a82bb6c

    SHA512

    633d6f8b4040da6e72a458c6ceedb296361f6edc99c1e79c6129fcf8fbbec57fb62446ed66457fd618d8107a0ab0872672e216c04ff85b5310afbf5ff3ea2c21

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    64KB

    MD5

    386d7c2ae57c24f3b225c35af5e6a0d3

    SHA1

    db03dfbf3ecab7293a5969284e9355f6b40ebbf9

    SHA256

    f00e3495265a959375120e9a5de95ca3483b7510c5edbf51d8a37abe0cdca99a

    SHA512

    d1bcca0c1270bb71b5a244b19297d6a5f7af48368423bd157c7b3133225408580a942109430c292f78305ce12272b3254f6599f8f48c9d7317c771737bc448cd

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    64KB

    MD5

    9c6b8ae1fd932a6434e9cf035fb0f91f

    SHA1

    fc80a94fa6f925c2ad4c630fc0c21d9ca0997d74

    SHA256

    e8814e642045f671579a69e30930ac168577e31dc6a812712a00fae48d9acca8

    SHA512

    bb30845fc90c181abb0598952cd3e979442c714e99a7ad0bc41dd21c34b190f18ec5f48e38ab138f5cf8f12ecba99f1200bd7c37179874f1166cb46becb62010

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    7b9fa3c58cf7f6e712b7b3cdd7954d3d

    SHA1

    af8e2bf8c77dd5cc99eefd56d5ec2ca6f53c4f99

    SHA256

    fd6ea671c01bab7a4d534787d59f5df43024f5ac928183487df36e59e7ba1457

    SHA512

    dbed4301464b9439bbb9dce71a3175dbe6e5db8cd68e7977ba7ac87b1d2b41526a4ecc31092a675d0c4b66794a1cbffa9f370341abfb7a6b0a93f4b6362649f4

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    dffd87a462a7aff4ecaf80a2a572daec

    SHA1

    2dbfd56a99e7ec041b36e12e0d8388fc994c2dc5

    SHA256

    c9064c0bd8ad4a11f8c088cf0338311e8d50906495b5967bfcc78c55dce0acf3

    SHA512

    01399282978ca908107f42ceb79e6966b7ad2eceda58fd7ee3399cf923d6a0d5b224a6a710421b37110a41f70f8771baf38738e06d30f01cced19aaa184e436c

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    26603f17d7d49436a89ee29da904456a

    SHA1

    ada2679d054859bd2cb4a3faf3d690dc4f2d9013

    SHA256

    b3c9bfb1afee4149b2bb4c32e6d1ef15c26e5b95ae30d6ee9e7d4c2547a854c0

    SHA512

    a757212bc82d7d3b6889360cebc4fee26093b41154b62b584dce5c101bae5db3f6424158d0497da923b3f3f1e74a761888d0651da652cc12b43097287917c755

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    9f31dfb841440b6d9e78c9ac668ebc28

    SHA1

    b34bdbfb07cd406a14e57e78747d315397dc46fc

    SHA256

    52c08b1e6f94845b3ccc2585477a18bc9a0e0b93a0c2466b8746ff8fa81a3a45

    SHA512

    877efe2c4344778018358a895b7ff11b7d26905546373b64ec4a87d94c74e69ffa11d8fe344fc2a2c2addfe8ed2d4f9b3a570336e3c26d9b908f98e9e8663277

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    87c3b910bb2e9f17682a4c59a0e46df2

    SHA1

    07ab8e3432a872cf77aba14e042c1bd64cecb1fb

    SHA256

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4

    SHA512

    d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    810780c9fcfc68b853a90c34d4e35154

    SHA1

    38bbcffbba16e54f58c34aec131b8c632f4291e8

    SHA256

    c93812be8b81cb0212d80bec83bd9e5a32cea8bc1924dd3f69e9d697c82615f3

    SHA512

    ef9ab8a88a1c93758abda9af062c881c6667f12c14e4b6ab89789919d7d6461724bea7ae980f5d08c0e91f6f8efe29f183e0260116c4973239a4437edb006547

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    1286be9d1775e41c153046e4e749008e

    SHA1

    71312ce596cb7d88d43b070a9b74f9c94d6470e1

    SHA256

    4928b6855d47bc4774f8d242f8e3fcc409b7847dbf1c474bae4fb0690b8bc612

    SHA512

    b5d6e6c9ef943ce5f4f8e3822defa69db87033e508ca5900f7a9147718ee61aec89f571471e482bfafe0432d25adc6975aea84c9a9cdf0aa3ee6d1e190a43baa

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    64KB

    MD5

    ab4f2b9dfd063f3d541e2b673f3083ba

    SHA1

    a2c7bbc1ac605d26563a299acacaf6cef53172c3

    SHA256

    cf6ef788cdfd6fb9d6991be567dc938cc28d30bce0954fc3e4bbf66c32219be9

    SHA512

    f6908167be64e49ebd64ba7e61656df06d93c58e2fb018c440c3031a761ff5cf57a50ddb5411d5531a29e71f8ef1c23ddd967cad683b2d5c79e40d55c9f38b15

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    64KB

    MD5

    d8839e6ca068f054acc522052de15e11

    SHA1

    eb596df3b67eeebd69bdc85949d59ba24bacbd7f

    SHA256

    fd06708eba47d5fb800bb7e43e421b983b46a512f77e169a599a1a14f26cc441

    SHA512

    e1362ab97664291c071e4f79e74fc741f713b47c3eb4c4f43dc3648bd43b2fb23d50e0fe2bba586533d8699c000e30ea68709a06b71ac2a5822f9d1cae7bc016

    Download Submit

  • C:\tiwi.exe
    Filesize

    64KB

    MD5

    6e160aaf0d6308ce77140ce939bff8a2

    SHA1

    f69daca60496ac3c024d14c05ef5a158ea030caa

    SHA256

    e98c4d42816f2b3e880494b6e6a6cfbe9eae138325ea513ba211ab96088c4586

    SHA512

    22a12d155e718072a3c0833dcbf6622012901b03a8cfce884da8ae6e724e43cbfea91a8151d86425f0c9dd7588e911468c908ae360df5bf9de06e991d4377633

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    64KB

    MD5

    74f2867fef1d0fdd3d11d66feb126c7e

    SHA1

    9ff586df60539fd5ec8dae1fc1a042aa1b710364

    SHA256

    628c98a75f13b18758e66323e614bf776dc0cdcabbe145d27983ba75583c98db

    SHA512

    960df038e17ce5ccdbc6ff33ce49efc332e852fcd27332b14fcae77a0e3cbc5c364bc565bd174d1af244520beabfa25211b8ea259423f94a8871d0c6038bab11

    Download Submit

  • memory/392-110-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-253-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-206-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-100-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-275-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-98-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-111-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-265-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-431-0x0000000003370000-0x000000000396F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1260-160-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1260-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1260-279-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1712-255-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1712-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1712-269-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2104-251-0x00000000033D0000-0x00000000039CF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2104-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2104-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2104-343-0x00000000033D0000-0x00000000039CF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2260-207-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2260-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2260-266-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2444-276-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2444-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2500-426-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2536-421-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2600-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2600-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2600-278-0x00000000033C0000-0x00000000039BF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2600-438-0x00000000033C0000-0x00000000039BF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2608-398-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2608-397-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2660-340-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2960-427-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download