Overview

overview

10

Static

static

3

be27a344de...55.exe

windows7-x64

10

be27a344de...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe

  • Size

    488KB

  • MD5

    79af48ffd26e35d00400b84af73b39d6

  • SHA1

    30da916fef4549f8fe094956fccd6f92096230ab

  • SHA256

    be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55

  • SHA512

    fa0a4e681e29fffa937bcaa92bb6fc67503071cff81aa172c71aa21cbb218f63549b9403023d7e1910e95cd65552d06f887d573a7ca02cbe735a7ac19db835be

  • SSDEEP

    12288:V/MW/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VJK2O2HIBEd7M

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
    "C:\Users\Admin\AppData\Local\Temp\be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:392
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2356
      • C:\Windows\Notepad.exe
        Notepad.exe C:\Present.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2252
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2152
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2844
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2320
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2808
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2604
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1944
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1132
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2456
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2264
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:696
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:844
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:876
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2832
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2172
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1992
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2856
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2920
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2872
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2700
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1620
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2352
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1296
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2612
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    0b0ca9091f36ba10e2b418dc2e34595f

    SHA1

    a18c8e72e7d1bac879c5880ce20fb08135f4a9a6

    SHA256

    d5ee6a4f02b40a4fe9445490c0cb88480f7a27203b581920977eebe388504d15

    SHA512

    ca46d81f0c9edce7eafd0735d45953931e75c55cb9fc2b7055d2e20f31d1f57eef4148d6e6b4aae8de1b584259919be6e2d1a21b93dd426e0b74b52e8c10d55d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    488KB

    MD5

    e695762bfee1b92b346f17b01a5c2eee

    SHA1

    563a1e5a5861ed74e260e574d0c2588bea01bd3a

    SHA256

    1f195e563a24b8a96df313f6ccca3edbd11acf37e62681179e45b311006b5a0b

    SHA512

    6a01dc586645e94914adb4893bd4732b20ee7170dacf8dd507e896b162fca5714897b4f9c034551e7e702207eb9645b6a830da66c6344039248bbfb07b530c95

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    488KB

    MD5

    bbb4efa13dfe550f2540d7baf8615480

    SHA1

    7c20a4545952dccc8989951f292824d00ac647f1

    SHA256

    074d43fa9662aae4f39a14bf2feb79307364e99a2c5a954faf380fb211a33c87

    SHA512

    09b4227a4f22e87f7234baca634bc0cca77663e821bf77a23114c3d085087f090b06feae86a0898a9d703eefaa89a5760dcb739d1cf8e8b4714f2173d1da75df

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    488KB

    MD5

    28ef5290dfe78b52883a5275139352f9

    SHA1

    eb994a1fcb007ea8917d684b300c17d6952a0e4c

    SHA256

    37f1740bc45da90c56d5aa0f555bcc9851c25da51fa142baf01e328fd19426a8

    SHA512

    ae52b76eb27ca8a878e014e920bfa5ddc14ddcfe2704bfa961eec6f0d8cbded341c7abb217f3a54c70d19adebe0ea3dbf4d3e64fec10d0024ad9aba97b5e0e04

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    488KB

    MD5

    baaacd5361cede39e4280fe3f8b5c199

    SHA1

    a32c20f1fc6fac6aa1b2b1823278e911b7843923

    SHA256

    0e960214324111eae955412152b69a14b1e7cd41b102663d70fcdd68653d31a0

    SHA512

    c0e38328eecb899d01f1d8eef3e80c7c5372ed177aa9c0237775b02d69ed58d29a6c4fe07bcaed2e6335bff79d2abc09d739cf22e3f6f5780750be373ed8c8d8

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    488KB

    MD5

    679dd4e4f07dd900c25bc8a22ce86835

    SHA1

    3622f2b6261ca56c4af163105b8b1f7576ac1fd3

    SHA256

    5196fc03d8238d2c2005d438ddc97dcb55f82e72d43f6763002e71d7c4398b24

    SHA512

    1e18e46957e89add7f82410fff22317a5827ea87e3a094f322e8e1f891bdb530546d34e3ac5b2c5570b18ba46185fb812836b7b6d35d96ecaae2726cadbfdc05

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    7943e9d58e1ad73fa84c4314edf98130

    SHA1

    cd2e12c474172d7c183e1593262639505130cb41

    SHA256

    6f89bbbb73671c827031870744231a21ed4bc4b10ba17454f2a5f58317a803d3

    SHA512

    651cec9ad6b78970b877f390d6edbdeeb413cda5e55b24b02f1bd5a87c0c4182fdc792a7ae98b0650405f71c1eb92a68bc03c36056a560862dbbf302222e0e62

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2e7e4b0c823d9fab3da0eefbbd210d29

    SHA1

    576aefb60b71c2758e37e8ade1037badc2a14a21

    SHA256

    11e34894347185b7a802ed4fa5f31520cc1436a47610dd088e6deb84078f23ba

    SHA512

    a5545374b9babb299dd1ead78698285274e083d2ddb048c617d577f6aa9ac3be2a21cadbea5a7e2956d36e4991fb05c2156450a819e85cca220ab81fdde8cb64

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    488KB

    MD5

    d1433e9358ccb045ece77caf52d335ae

    SHA1

    5cf4a06012da35f9413728761906b3e9ae594a10

    SHA256

    d55387de2482832060a0d77eb0f0c8d3150e260e17ba9714054ad750c7d241e9

    SHA512

    51f7e8c2ffc793f938667f07af7e4936e6eaea4a1e46eaf41f95b20585d2bc186024956edd260e7bfdc08af846dd418c3d05e96dd580e567cb19fbded07eabba

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    488KB

    MD5

    d82e8ca5ba12a64c149dc6667844c1e2

    SHA1

    08bf6e0496928ab36232ebbb6c0f398d81575c66

    SHA256

    870fcdb7c2246bb148139d3b21ecaac9a3ef3145d0caa9642397568882cfe6bc

    SHA512

    c95ca4ad94e7a6c0f5f69795a7fbbdf3d2ccb243a957615c442bdf423cb21df8c37a86c6d2ba548468f27d33858109894ab8131d26da8cfc800f05391074acde

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    488KB

    MD5

    aa9eb9464e38e677033a863b9140551d

    SHA1

    bede5a543fedcd83e09e1375683cc9fcd70c5123

    SHA256

    1efaf2864d13be38ca54ab7b8921b549507ec07619f2384ddcc549bcbf25356b

    SHA512

    07191a6efc98fdf678f443a973914ff18c71b3ca4bdee308665fe11c11db1cdb8e808c62b4206b03b5251af9bce11bbef870cdfc1b3382ba8bd97bd7018fa8d1

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    488KB

    MD5

    3815bae9400b4bab0fe93a30d846ccee

    SHA1

    031fb871c9bd52b5b54a9f664a87693bb84a4263

    SHA256

    fa1241e6ef6b7617c1c0e125514c0b5b73e8332c008119d66c1e495429fd0c18

    SHA512

    abfd55040de6b0bae83ac47faaba8b368472feb178d20a70131743f08c59aae8787cf61356f3a1e4b5caeb78da32a61645e050a56b6ee82b7d5e4e4fa292b7df

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    488KB

    MD5

    c8629a76381ac689465708bcdd1d1b26

    SHA1

    d7c2d7710b8cac1ebafa5c692fdf21cf7a252328

    SHA256

    cce87cb936ba7fc3f6c3f5fd3b1dc96096a71eabd19525f12df611b22ee23158

    SHA512

    e9fce83e925d67cfc36222f1562d33955331898267c3f4c7aa1cee5f9b6107e73142e19baf7a6db9bca96c3ed53a36a158ba6d4d2fd52139e2caec48a14ad641

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    488KB

    MD5

    0045cff6f1fe3fa8aea0ad43cafe7dca

    SHA1

    7e63c0733d07bb985793fc382796c0cc1c6d5aa6

    SHA256

    b9b2f6ebce24cd7b658189793a6316932513d6caeaa42e154411f4dcc82239b5

    SHA512

    b7f8cb7f00ae7ce2d4798abe997333ef4f7feb8621490a3b2de4465962c8bf20ef3a35c97a8968a4007a1239604e492a447c515891f1c2a990f1846441cbc569

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    488KB

    MD5

    8aa69b788370ef4587032401e2c9b11f

    SHA1

    52660f3ca127f11627b45c5d353292c3f7a68430

    SHA256

    f16b2a146197805f0eb6db87b8f0a8bb3ac250a87dbaf378ce808ae51f67aa8a

    SHA512

    b328fdc07514808cc711c2e17212fabf2b04903668526bb56c46f52404095e8c4cbe15c24fd9b81d2a4fcd3818ecd00da42bb637972f1225bd65ede615f95034

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    488KB

    MD5

    79af48ffd26e35d00400b84af73b39d6

    SHA1

    30da916fef4549f8fe094956fccd6f92096230ab

    SHA256

    be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55

    SHA512

    fa0a4e681e29fffa937bcaa92bb6fc67503071cff81aa172c71aa21cbb218f63549b9403023d7e1910e95cd65552d06f887d573a7ca02cbe735a7ac19db835be

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    488KB

    MD5

    a7a99ce9b70d8bd5523aa8b636ef8a70

    SHA1

    6d1fe479ade33956ef1635ab278c7414fae9ed01

    SHA256

    6b35e5aa7f5d95f9b7a01f3b2fa7f5de393bfff7175cc198d242911b46bafa48

    SHA512

    e4e0b1f233124e55a82a64994ca467e1b64918357ebff55dad26473b3ca7569d9f99c165284622b93477a3566c9152d35ea8fa140ab0905b2821bb1139eff84e

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    488KB

    MD5

    c3468aa61e98ae885fd33aabeaad7e2c

    SHA1

    176b239c20e823cd96d04253358ada123280e261

    SHA256

    524b77ca0aa3ba87c7570f7e7fa90053293f675795c355852f583e5c8176a821

    SHA512

    e8644deeae75fed5fa5f61433d882d8532d48b9ff0501ba84e54b748cae946f5730abd4dbc91f3975c58ceabca294d32761e1beb4f89f1c65debb9ef8cb7a57d

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    488KB

    MD5

    8a7795e71d66a9816aeb4609679b26f7

    SHA1

    f14c76871f0c311ba0be7ae606c3f9d0570569f4

    SHA256

    f608968665dee190bd55d5ed652db212be822e8045654173af53ae5332833462

    SHA512

    7a1136bf663501667e54f2cde660b06607c6c25f9954694e425f6f304e7492ef836588852776d3f9bd9fe38c440272ce460fa2ebb1f0f3316ac5718713ceb541

    Download Submit

  • C:\tiwi.exe
    Filesize

    488KB

    MD5

    73f8e51e94ff7cb4383e222573cdb96e

    SHA1

    630668f6687a53877a9b2c3bd31c3b8123095a8c

    SHA256

    bfea8aa44017fca0e6e46d292577b3f3c3d8050412d4101c3b9e450b7a682092

    SHA512

    fba1d69b2e86765cb83ab27078642772032507b4ce2643860e13dcf212a445fa3fb40d028565962509106999d3c08cfca56b1bbd42d8721d95b7cdc5695d541c

    Download Submit

  • C:\tiwi.exe
    Filesize

    488KB

    MD5

    5b92c8265c50b390a67b3fe930f72c84

    SHA1

    fd6ba5192eaae8024c6d4d02ad8a8e42446511aa

    SHA256

    d5ac390b8e18d09a95c53dc0345e750d58e1d584e0f88a730be32a229f01574d

    SHA512

    43e854119ff3c42cf072bf0e9597a1f9d32f6bc72b841d2e6876b4506f2fb9f9ca38faa32a14d74786e19a741abef9114e30c68e8172cbe0fe01a2dc41030d1d

    Download Submit

  • C:\tiwi.exe
    Filesize

    488KB

    MD5

    f595333074e4ceb870a089aa67252177

    SHA1

    83811b80d3b1b69c477ff786314bff92f7632109

    SHA256

    d63a84ac40152d34528885b6c210631e2949a547aabf57a334ce6aad218bbb14

    SHA512

    abaa52ab222d1fd9b928222f8b89a1f874183f7c60e216dfc5f2eb5e0857c79851309976051519786ff710fefaa951ca8dc3c9522b7f696dd5a65d741d9075b4

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    488KB

    MD5

    f6f49dd6fab63de28988923f0b39b824

    SHA1

    387342dd6a727473cda693b8134e0ac8ebd8e4e2

    SHA256

    6758a6218dcc3feb97e6dd30737a2a9066edf2eef56ac9af1c8da01c319730bb

    SHA512

    08e49eabccc4856d377a0362c43bfc2f3a8b235dfa185506f4c638370bd32e5fb29ec5b102209f6849f28f5b6e33ff9bdd25ac4e8c9ada3b5a9760f859f7e934

    Download Submit

  • memory/392-111-0x0000000003360000-0x000000000395F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-285-0x0000000003460000-0x0000000003A5F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-205-0x0000000003460000-0x0000000003A5F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-329-0x0000000003360000-0x000000000395F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-98-0x0000000003360000-0x000000000395F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-284-0x0000000003460000-0x0000000003A5F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-109-0x0000000003360000-0x000000000395F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/392-419-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/696-272-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/876-360-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2076-267-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2076-209-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2076-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2152-210-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2152-211-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2152-204-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2152-207-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-208-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-425-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-433-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-434-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2316-371-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2320-422-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2352-428-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2356-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2356-274-0x0000000003460000-0x0000000003A5F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2356-352-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2356-283-0x0000000003460000-0x0000000003A5F000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2588-403-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2604-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2604-265-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2612-413-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2808-409-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2808-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2808-280-0x00000000033B0000-0x00000000039AF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2856-355-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download