Overview

overview

10

Static

static

3

21a7d5e1c0...d4.exe

windows7-x64

10

21a7d5e1c0...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe

  • Size

    64KB

  • MD5

    87c3b910bb2e9f17682a4c59a0e46df2

  • SHA1

    07ab8e3432a872cf77aba14e042c1bd64cecb1fb

  • SHA256

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4

  • SHA512

    d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5XOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QGwJ8w2VS

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 7 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe
    "C:\Users\Admin\AppData\Local\Temp\21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2792
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1612
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4668
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3428
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:848
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4836
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1608
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2728
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4408
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4396
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1976
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4600
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4228
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3100
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:956
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:764
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:180
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2916
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1124
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2992
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1712
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4284
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5060
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2688
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2124
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4332
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2256
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:704
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2924
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4672
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1308
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:444
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    5450d4f7b050d72b760a704d95c928b2

    SHA1

    3175589cec51930d790faebcc09bdd855af92538

    SHA256

    5afdd9c446b90f59ea47e87fc2da7399f408a53fbdab3a7f18d2016ef190693e

    SHA512

    0ac0388b46c506f7b5ef2552e009d93b5508c4c8d104ba2ad80447cc5e65d58e46aa4b6cc244d28368bced783388126c74e0c60c7bec709756262d0ee0c8dab4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    deacaf53c38d311f40d6ca15f3eea8ae

    SHA1

    aeb8d8a3bb16c76d6fc936b03d0dba500f492dab

    SHA256

    9f966db28e2a78667e76ac3bb4c011d8e7f7f01f9999aa365871b7b074db8dcc

    SHA512

    83476d59c79308a7f9fff7f43aba2eb3f3cc5d1425e781e3e10de7b016c73a82e4d49584b4f10b966648acc2a1004a2a9684b3d83c849acfaa79acc3152a20c3

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    383425c3b37869f635392e086239f736

    SHA1

    20b71308a39f8458cf89f531b1bc356efc616465

    SHA256

    f8a0d1ca095ec3facb12b35cf412372cd17261d3075e74038aead32b02530fb7

    SHA512

    f65b2ef9a662a1271f690b6456e8da434b82f60e57298d1146cca38223319f3f605d878368d575b046139aefa20dfe6017e825da1696e20af80da69561baca10

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    05d83b90df94df79e1ff1d6699262354

    SHA1

    154a6da805fe7efccbe68571a95f97d3de3afa0b

    SHA256

    1dba7a4a712efda9e39ac088f1ac0e065a4ba0b92d54b70e1d447cdaeb93ecfe

    SHA512

    52484ae15934c7590eb98a9ab919bb34fabe30b17541a249e6b87a5c7db4528fbe7625b12bb0ddda3ea011e1d439e8795809ddef4ec68ea17963659d0734e678

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    d696e2ecc027c66025c632556a05d0d0

    SHA1

    05c2d06b5fe0013f3ff214e587027a00b0070fe5

    SHA256

    36a02bd43dd908a59d9e39af60ba31fe0ce5747b0a8e29f3d80865e488ac11d9

    SHA512

    2faa93dfc61784aeea4569f3e96ef86771a8b4dc1bc4a9ccc67021f8d55242cbb10456d2ae7f38961fda7820f710e6a1acd05765e1b974d161a852aa5ce80916

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    d0082e2b9705edbdfb9aa6b48aa01081

    SHA1

    995af9d23499f299069926b5881c25b87f03b312

    SHA256

    b1e68632c7f19f9ae0faafa0aaa9b83df00d5ba425ff91685f46bf01babe1e8f

    SHA512

    c7de61d52860efd0c9d001b293a79e9e70cfa97795e794781b6d0d7ec33863346fea505040decca4484280b4be25a18773e03df00fade536da3c034718614806

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    bef64925dcb14c3a3bbd279f031329f0

    SHA1

    c2d8a3bd3a216cca482249ad5bed088f2da2bd30

    SHA256

    72f2646c8fe46758e1a6c7a7fdf26f8a2b80f7458ea8ab0d4c2ca807465bb0f7

    SHA512

    510372c6e744229296151a50f41127a7eef901318ffdf41b728c3fa5c0d3088857fcb688401b0aef143005cc0c5323838de38c9e6b7b9c4f50c46adef9949c8c

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    c8e5018a9b759e64d66b03bf1a6fd307

    SHA1

    856f7321e20dbed69cff37638a9926a8fe1ff2ea

    SHA256

    9f19b632c2de6868a1cb4ad3526bff988e11f59965614e93a1fa4cf25b1c6ad0

    SHA512

    badef753dc2cc7f2e12880f5c5effde0b7c1a5174348f4df0b6cd9a978b2c471a6a1680e72ba45e73970019e5d3020af23b9c01b981870721d0e428fd0f68fd2

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    64KB

    MD5

    219026de892bbd991ba4ca0519068ff0

    SHA1

    b4611ea1253f70111e22862e4be9bb20c06c65ac

    SHA256

    97de0d2fdb46dfbb9de4cdfe29015315ef2aea268cfdfb5069e7e9f004bd051f

    SHA512

    d0f496fe2b31709fd08b6c48a250304362ff4c55661fc69161c9a29a1383712667d2fd28d7614d41144ae0f46272c72af955a2a759a9dde26b31873abfcfbb0e

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    787ef0c504ef0d1cf466f8e20ba8832f

    SHA1

    56d30d0a1b26cb14cf1f343d8ab42c61425f68ed

    SHA256

    5f215121adb197502488b87902a7507ddafe2f4c7a3049749a444c23f1bac3a5

    SHA512

    eb5d38ed4d2e914939efed0bc341d1911ddc3ba5519b2cee133478ab91a22d225199e38c8ddb3da2fc09c5b4771f14da2463fdaf2af8509b50641e2d2d9ba1d2

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    9d0d224e8024ca7123403e77d0c9909c

    SHA1

    b890ddb6b5ce6c5dc597da863a313e3192ba0cef

    SHA256

    1495c6ae9e8609a36025a90dbf0775de954b4ff1732bf3c8b08479e63b77b41b

    SHA512

    1af00f09c822f27d47e69c9178b7a3c3856787792b69cd0dedd6990cfe8c653f04fe4b6351c14680cf7940f0cd65675bcd4d3d38179403a6831ba14049ed8af8

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    64KB

    MD5

    7b45d6e682b5efd2913e8f6e2062b468

    SHA1

    93fdcac3be1e080075213b8615f9bd2fdf3a93bb

    SHA256

    b9c74fe7771ac0cf7120960ea3aa244fa86839e687e83e8ba490275b79da234e

    SHA512

    456d5e341f9ca00d5492848251cbbbcbcd0a70f24fc9017ec1d9525724d0035f7af605c3ca4c9ea5698be8caec0c8b0577e9101e102a8af9f2994db442a3a095

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    fa06a4dc26e2eec41e40e60946245a0a

    SHA1

    b0e508e29aac8768aeb33d184b3cf2b4a6cd77c7

    SHA256

    63021dc468f28052cc857c49a1a68ae73f196d60dffe0e232b85073b5e207de7

    SHA512

    29fcecbbc81bfd5e3a8a402283d643d4307edf51a28d1ae95074bf16a44efcc26ea1ba7f014082c80182ae638d731de050b814df12f2af851af2441326f2621d

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    513864d28d01c4753c150e69bb0ae0f2

    SHA1

    182bd4e57cff6567442110e7c9412a31b5255a19

    SHA256

    a384edd8572dc1ee2bc5395e18c1ebe580125fa3f60cac171e2f4c3befd21825

    SHA512

    15fca73a7bc21757553a8e7650f3c943210b346aa17e4644fb1dc4af5e2b6375f1e3db7448739123ec4c415791dfc4836e5ab168595db6f94757710a25e95164

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    87c3b910bb2e9f17682a4c59a0e46df2

    SHA1

    07ab8e3432a872cf77aba14e042c1bd64cecb1fb

    SHA256

    21a7d5e1c052c07299f2bb3b77799aec0936281e9a7c83d4fe1d777cb3c918d4

    SHA512

    d93372b3773db93db7793b9af1ac3f64037887d615f1e764a7658cf9e781fe9ad9662086fc4c184d646dbbd2f3265f71a4f8309d2bc6f8f691d4ecefa7d96325

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    125702c7ae94a492c858b03bd0634771

    SHA1

    c29df9cfab5519583eeaae1b3f06b52d9200fe8d

    SHA256

    c41d6c4cfcd48446bb431c93f1616f4a45774727aeb5b7a5cf423d38e76c05a9

    SHA512

    0dddccb9e476adc4cba5cc355412e9ab3963568bfba0fc490b2772a4de2987206b476d242f1a27dba8ca7ccde47d4781fffb3a3ed224eda7909218fd811e9b86

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    7baa39d7270ecfa2422c29e882d90919

    SHA1

    5f19eb2e74ecb8b8f04baaba3203cb8feaa9144a

    SHA256

    700ac1477197f9fd8a53181310809be7519e3e84954252a5716191343894c1ec

    SHA512

    1380a90df4b4225e1dc2fe03ab9ae2ab3efa03cb78950b78ca273a239d8ca81d0a43b34b2f72fe181022923d7196af9956fe42b1cb7cff25c283a6c1cc425ef5

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    64KB

    MD5

    ca5adf6278a9f113b16d9d1963c17203

    SHA1

    f8a0882f072a573d34e73bdcf0f9cee70347b2ff

    SHA256

    4a9cab2eebea8ccdb9c2225c0474cc9b58631c09095b4752f75a7fc2980a3494

    SHA512

    541c54d9589e497d6b53ac2743f1cdc3806117862b75202ad28a772213e7c023c1a1d995f8d4e240222a8c93550c892ba46205b744d23be047cf75e164d13575

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    64KB

    MD5

    c12afe78d0b7e786582a2f3a04d5004b

    SHA1

    8ede016c6ca9843fb55784125d3eff62d8cdd15c

    SHA256

    9a63a798e0336fa550bd9d70d0b2a4e335f04d2ee4769265608bb5d6aaa17f05

    SHA512

    939bf18782a8bda35275f4776b27740f9f631c73324f486ff6211e3e8d69e85a025f7486b0c4ca16f12b517fd15c0136b1b78da319652573fc0fe8d33a08ef48

    Download Submit

  • C:\tiwi.exe
    Filesize

    64KB

    MD5

    a7ee8848a5696b03c80c0bc3bbb16599

    SHA1

    f1e910d148998b981bc9cecda690821afdff233e

    SHA256

    ab52ab3d011a628ead70af691e706f25e11e4c39e2051cad7ca45003346225ba

    SHA512

    385b1007a50ce8d8e3677b88d39ca59f0af435d3cd70f2d3c4f44aeb1755c8855e9d135e7d1d3a402872ef48f1dd1e5e3a188b29899527e035d57ed420e39abd

    Download Submit

  • memory/848-251-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1124-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1124-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1308-317-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1308-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1612-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1612-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2688-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2688-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2792-255-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2792-386-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2792-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2916-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2916-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2924-185-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2924-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2972-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2972-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2992-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2992-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3428-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3428-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3832-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3832-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4668-192-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4668-171-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4672-197-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4672-222-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4836-258-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4836-397-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5060-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5060-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download