Overview

overview

10

Static

static

3

98d5d12653...d1.exe

windows7-x64

10

98d5d12653...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98d5d126535fef107bdf843a0bda2f9a354dc42a68c92957178398ee13a9f5d1.exe

  • Size

    64KB

  • MD5

    339ed763d4978b08c3ee73e7c888f2fc

  • SHA1

    64bcd6d5d27f123531d7b1f9a23db45fbc04b490

  • SHA256

    98d5d126535fef107bdf843a0bda2f9a354dc42a68c92957178398ee13a9f5d1

  • SHA512

    5207562db4a104cf52b35cc94de57dc386801baa457adb72398a67068f07db41152df2a5ac81dc2d06baf70d3db730d38b4053868f2d44bf9628716037d01b54

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5hOwekflNuG777/+V2:V8w2VS9Eovn8KRgWmhZpX1Q8wJ8w2V2

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 8 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d5d126535fef107bdf843a0bda2f9a354dc42a68c92957178398ee13a9f5d1.exe
    "C:\Users\Admin\AppData\Local\Temp\98d5d126535fef107bdf843a0bda2f9a354dc42a68c92957178398ee13a9f5d1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1168
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4800
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4808
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3312
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3324
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3996
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4300
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:940
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1716
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1652
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1552
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4108
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4564
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1676
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3772
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4812
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2336
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3420
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4904
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2944
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3124
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4232
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4100
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4748
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1828
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5076
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1500
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1520
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4460
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:372
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1476
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    f1dcdf03754a3b9c686a1e838d4f35ed

    SHA1

    1920f1a3dc14bfde91e0062bbfa6b06907a0700b

    SHA256

    c105cfb7cfee22e99c63229cb1840dd4e81fb90c785cc9c394828554af3bab88

    SHA512

    34c32d39a90591e818dd2e0f77095e1705b01d1fefd32819ad73e58cb8278e1a9967018460dc669d707e8a961325cecb3d5ea6d4b277acdde7c5003ef565d769

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2344bbe2ce7232e31c0861d086a151df

    SHA1

    99f965d1208f1113abfc7e2d53701fdd940df418

    SHA256

    1b8b1ff1cbb7dab53f17b5fffe374355df07e4e67617b235a01be9081de18b34

    SHA512

    b703197ab97f9b2bb95fcb4104f2eddabbb5f28a095bb938be7b4737f8c33c298c9386ad3c806727b55df8a40b93eb41727d236a749d8757f0cb01d5b03473ec

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    e738bb87297505071e50b4f994456978

    SHA1

    b9d44266e683a27854393c02effac6c06bb016d6

    SHA256

    bb1c43bc8df91f69ce6de676c11aabd769609d17a71e6be9a9acef140f3c1603

    SHA512

    62257f8dd75462563266be1c4400c953a0ed0637cfabbd681eb7a36d46ea115639a508576d95f0e0acda71cf4292081fe8cec24e90bbd689e5a1d0fa7dd395e0

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    64KB

    MD5

    6150a4e56854e01ee1447ea3e3af40b4

    SHA1

    ebe49f2e0a357bced59661262cc25f95bfcc334e

    SHA256

    ff64ced9fabcfeac5a9a083b418fabf47d3b06d299e1ee0ff17fb7706b957ec0

    SHA512

    5b0d99f73c45f5ae6e67e2d5b7813520e08e05d81d090c12fbdc981b8cfb31b379f2de09a0794c0cb52be8684e487c357b6f5b73af452b95ceeea726b07ca177

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    64KB

    MD5

    09e2c51e3df5d6a5938349a0fa5aee03

    SHA1

    e9473c56539a7179f95177b948120349751a36cb

    SHA256

    fe5cef98419046a244f0daa0fed20413b90e9cd7f96df64565f2e06dda4d5d84

    SHA512

    b9eab69c926ba8478460b95643bd97d8dcc292906ea7a1a12a65d5520a8f627b702ab8ed94b0c20bca40a4d39275b4c1ec6fab51f4339ba38be5fdd093ab1554

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    deba6f6d8382189682d428e9201d80cc

    SHA1

    3025fa4516819bef81fbfb6c97b08f8ec216baee

    SHA256

    60e6834f9783b77b2299d010e00f24b5b994f470394997de7633a743a0521ed7

    SHA512

    8c1c4d6dc06e40f2f9bfc495f78e1ea6227e12aa19a5a388b01796470e4f2309b6784a5bd1011cb39379776486fb874a111e6f678eb8f74f0f68c914fbeab8fd

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2f2ec7a0d1693262ef6f5d9bb07f27d2

    SHA1

    db74ba1ef5d9abdc0b45c61a4a30e5b8c26bdc26

    SHA256

    72f6cf2cf108d8cec7575f85fa0ca901f8589a1215bfeeea13c35bca57e9d757

    SHA512

    b4e6d42f4e993e97c0d1e1006abbc282e083d54376e367f571c3d8e5e434d6cdf8a171f9bb135901ab6f3f7ee59d6cef6177c8a9b974a2512a6fbf704e02f95f

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    5679a2ab3026a644f4127f8c2975af8f

    SHA1

    f258df780b7c861985e5e2d0c89aad5361ca46db

    SHA256

    d51d6dc58dfbc148d51af8aecb9766f657c1eb48c43cec5698146f5f5e0da59a

    SHA512

    ce29d989d1374aa1ca5b365e719207221a0b635cea675e78b80bc2569a622b41865b6407cd18477b79d5bb08d277ba4b362b76e3042e6e132f4722215875ff83

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    64KB

    MD5

    5b1b70924ff6bcbe7545b6482a6a9976

    SHA1

    a78c6785657726c2a1d082fd15af6fa6a77c15e1

    SHA256

    b57888f050336d909dc102c2845e650fca0fb6269d6e5de8efc26c040e67bc97

    SHA512

    7ff405642c9f2d0c97437388c273d6a734a4359c4eb54fb7ab1f5bc698bed9e4933481eb4d2aad46e9d79bc869c694c75731b6bea19b7763c21a6387dde84864

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    806ca0cf7cfa920ad8c5ee43d007508f

    SHA1

    4dfda52903f9bdb8e1dca0383ead8ab8b35a3e26

    SHA256

    42a99267ade4e02785b6656d50dd3bee1ceb2643d650a2fa24833ffc6f83e681

    SHA512

    8323fe88282e67c7d6f138b595cf8de6f6b0090355bd64d024abce19ec071433d62d5a33f00da2d768f8c5fd275929957df7127e59413c4f1542961593d8e968

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    b1795ed321432161c0a4d5bed9901aa2

    SHA1

    cf3571797702eee9e2c61401690559b0dcacb4ba

    SHA256

    578631b083e070c05d0c3d6390d8932245a23efbe9888b3d3f7cad7eb1b9dc78

    SHA512

    7a05b598407e17eef9cbd48f71e168ab31a2cec1e2fd7c629701f9928a0be35bc8bd8cb6cbf5442f54c3099ab03b5192b18daa6b11dbc3a68f59b7055b43f714

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    64KB

    MD5

    17db496108093714d8f49a441678ad27

    SHA1

    a6b4c267bbaf861a33d5512a769c61582f7ac6b9

    SHA256

    2702b852e8ffc27fdc40580bab8008cb74eaad254a326b4c89bb5a38cb26c7ab

    SHA512

    47b4b13e44b1927a6f1c79a93688fb037edef2e00cfc1a44dbcc86235483d26ff718ddf0905098491e210f2014099d2a337aa6970bddc3b306add5eab95463c0

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    64KB

    MD5

    9e85b19330108ed72cfba22c65c23000

    SHA1

    6743410f6f1e9650d90b9e003346aa737a942bb0

    SHA256

    9248244a047474e85851382c396457abcb043bb934764f3cb84d4e0d44b16e2d

    SHA512

    e02b2c8d58caef18fe226539110fd3ad212ad91cc0dfc1757a52a597307f3f1eaf0cd89fb16681d8a23330625ad55a8ce5e667d903cb56079e95c15712fd0301

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    7a5704eca81572360469a71ee1ee9dec

    SHA1

    eed5fee0064b4ed8d0a532c10a64ec87a123e607

    SHA256

    6e0cf873b8dc818cafbf3631ca0fd6d0614dd638786223be52264e3198ee6774

    SHA512

    40d4aeec58ff220aff39a938797d70aa2b222a6ebdbf61af8f40b9aec36d2ff9d3be9dc47b12f1e52ad4b5c4cc18ff4f5a292df0a3c6c8e9ef66da1bdc6d8640

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    64KB

    MD5

    339ed763d4978b08c3ee73e7c888f2fc

    SHA1

    64bcd6d5d27f123531d7b1f9a23db45fbc04b490

    SHA256

    98d5d126535fef107bdf843a0bda2f9a354dc42a68c92957178398ee13a9f5d1

    SHA512

    5207562db4a104cf52b35cc94de57dc386801baa457adb72398a67068f07db41152df2a5ac81dc2d06baf70d3db730d38b4053868f2d44bf9628716037d01b54

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    6bde9d8a5f267e2ef5252321bd81d15b

    SHA1

    96d4fc6b7cd2d2e2d6cf1714e88414c3fd4792bc

    SHA256

    00f17a8206b290fda65a0fa436055c410dfaa7bc6edd513277fe4f638664bbcd

    SHA512

    a5ce2b949987514dc3319d19a379b81ead2199bf79b64816f45366bd06e73f7ba233ce4ac955f2506b12c9836ce07551eae7f1a7411accdaa7795afb1d3ba6de

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    64KB

    MD5

    9b7ac2f30cce3a51ba8a189a16a2e807

    SHA1

    4f955be52bf45ac65505719696c889272a24fe66

    SHA256

    f04c29d0e409df362df1cfba801627165cea58df12af810a558dbc26d1e5ab4b

    SHA512

    ed7a2cbe7ed64b0ea162e246c1326c47b833cd32013ada92d3acb2c04e65ce5cea1590add8a2d00af2a47cc32e22b3573722b72dd45f1e1db1ddf6e05ebf0a49

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    64KB

    MD5

    6e449320eb030d3544bfb8751c43399a

    SHA1

    4075781780970f65dc2d6392ab09ea52eaa27ab0

    SHA256

    71e3160cb6393b0686f231431eef46ec034668272b0a8387875799cf98bd7cbe

    SHA512

    013d50feed184c62b0e4f3d1fb8a7c126af87d1f60ce95661813049ebd52759659bd672a313635fc7a34434844d911779edd7eae1c8d8e02b7dc1c9b97caceb4

    Download Submit

  • C:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    64KB

    MD5

    17daad23acc956a05ab29b830ff907e5

    SHA1

    55fd3d17a04b197a7ac495dee1e7db4093cf5449

    SHA256

    b7339fcbeef88a33386ff737bb30f1533d351a8d0c49a838c9b2d6b01349177a

    SHA512

    ed38573ab28edf5903fa11fde36db514aab42056e41d9043d40fe1496bb4c018af7a2a37ba880167291608202915673b9d832695e993ceea911e4b928ab4293d

    Download Submit

  • memory/940-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/940-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1168-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1168-421-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1168-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1652-332-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1652-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1676-153-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1716-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1716-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1828-433-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1828-296-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2944-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2944-422-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3000-200-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3000-152-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3312-229-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3312-234-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3324-236-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3324-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3772-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3772-385-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3996-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3996-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4300-331-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4300-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4800-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4800-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4808-197-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4808-228-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4812-326-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4812-374-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

    Download