Overview

overview

10

Static

static

3

33376cda4b...cs.exe

windows7-x64

10

33376cda4b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe

  • Size

    351KB

  • MD5

    bd1fca8f44921479510a72dbf1efefa0

  • SHA1

    3692a07961e502f4ee266bf9a768cfc1fe03102e

  • SHA256

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc

  • SHA512

    53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39

  • SSDEEP

    6144:V/OZplTYZplx/OZpl7/OZplx/OZplQ/OZplU:V/MTqx/M7/Mx/MQ/MU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1524
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2196
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:992
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1116
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2948
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1548
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2564
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2764
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1992
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2352
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1924
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2292
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1552
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:1572
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2828
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2516
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2240
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2556
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1576
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3068
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2416
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2540
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1456
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2488
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:996
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2324
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2680
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2304
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:1512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1808
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2696
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

9
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    354e173d35851a734daf4833c4b68762

    SHA1

    82635acadac25f46fd4543b644eea321c6178448

    SHA256

    82f1363e07eb54f6c8bf61ce165c209dd501c21600ae36af2b8b5624307a8309

    SHA512

    af158fbc39f9b3114546a6742699f4c12729112d607fdd28b1752509f54a25cd37807c1e63bd8287a0d1ac3dbd03414d98afa60586c0e9f7aa91b68eb5217024

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe
    Filesize

    351KB

    MD5

    c9e4e92f83726cf56019bbe523523954

    SHA1

    ca3e1977148fbdf3656e1340a1e95c49e963e855

    SHA256

    8bac8c016e095f8ba63ed8b42f7ce24a617d2a787be5508dcd69322adc3e3c57

    SHA512

    5c3132f190d9661c9b6806d3bcd7b732b75e9c7e2cf33292dbbb41e94095aecd111e1ee8cc036e2f4529f2143c6ff05bb2f9f85fde28195f1c11110548f5c4fb

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    f33b9e3deee9255385599347c039d780

    SHA1

    94221ba2bdc08f2f53351b28f58aacf467627be0

    SHA256

    6b79db6e80bc808f5c0242a0abaaa7c7237ee5022f9e27a567efbd2111d9365f

    SHA512

    2edec66c1a05f647a4ed14f1ea56b01728b92fb7ba7c83273c9f65621174514aab705a19270a3d9488a31ddf39cfd12c888fcda56e486f4b55b4c2a7b3675801

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    7793e6a2eb4c9448950d6ab10226d5bc

    SHA1

    610b69aadffbf468208b607e1743750b2145d635

    SHA256

    67315697d881416b036366a42ff392d456d1252dab1b4113de3940c786054f70

    SHA512

    b62d90d1b4e15ebe18e4f6c8e347f020fbae682bd1cb24077eae01f2531b5c4292bad1b53ff734822a0e914ed6d69c3b6ad29d55394f489adc4ba3cc1e9c49a8

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    096feb2ce608089512df8f2a435204c2

    SHA1

    0138e0cda74e5c9397b2e7c951f0ff82205c6343

    SHA256

    26aa61c79ace4544808ebdec05ab77ea79bc54b8dc2d77f272529825fe80b8eb

    SHA512

    0b4738d2714f88828b0d816878fe178b7a5c5250c9a4b1742ff39cb0525096809e7bd5134ea2523e1c9212bbd3de40d270ae9b19449ee4a30e1e501fe060258a

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    eecd6d3e3c9eca0e8f12cb9c49771d87

    SHA1

    af0a8506cf5c73b1387953076319b31709f087fd

    SHA256

    17104df03867fe96bbf20068891b9706a38300b75e25b357dbf8e4130fe6f52a

    SHA512

    627955cb486be4c380c95b542297250f8f390b967855466003c8f70d513aec2b0a93963b44e4938c48b85735c29a653db4263b3c7ba0ff51159eb8409b5fc035

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    55ed0cce4e5412363bab6c818d23c0d3

    SHA1

    c4caa3b6bcf45453b22de59ba3cc4080f12591cb

    SHA256

    319a9af9e1a3fb0c9c209530ad132343e945bfb340b8ccd657854b72312b0ee0

    SHA512

    8fdb3845183b3b5fd9450d5e132c3d0b8a8f140e3278816aefeec46a27ed202e75d1ae57a1a7ad0c1dcbf7918fec07f0f8418cde8d8bf7a7ff506c3a80e181cc

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    9657f614ddcd287968a7f34fbc82197b

    SHA1

    e0f0c01e2688f2f005e2a6928c6e00931292794c

    SHA256

    20a5f0d031ffb4b85b63fdc78b0fa5d2d078b933eae55567536f74e905d22ece

    SHA512

    4cc1923137680a1d0b5288128610f0e5d776b31ac0a44187b3e257651283e1b541219f499893d2ae7dd74f8a1fb36213acb7154d766dc4d9a6f3e2be1014b02b

    Download Submit
  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    dd2e2144f8ef55eb78ac132765cf8465

    SHA1

    1ce3eb2400c227fb3f6c312ac3addbcc855a6477

    SHA256

    c4fe170f992d8be97bd3be3354e0831335266f232be169ae7a473e7a65890ae4

    SHA512

    748299998eb261f33f8c0e2e8e9499858f6dd5672cae4891deec5329f0391b511b8f0a9ae1266163c7fefd3a03d69b17574b4c8a1832d9b0065146102ed17b4b

    Download Submit
  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    08ba23a35de5db1eace24673e63a3ba7

    SHA1

    3038b34f2ad6b23ed49fdcb43ca49402ca8adfda

    SHA256

    7534d4f1cbe3021c27249f1ed5be663707260fe07350a9de78ad0074d8316664

    SHA512

    b654d2cc9186a575f737198dd00681ff421cf3b7f740b86e1153c87efb388bd7af76edf87a6b2e15e11ac753cb8c5c47da24c6b719474456095b195d34837fee

    Download Submit
  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    40a3b510f2901487b544ba4851cd3996

    SHA1

    cdf5eafd6d843ed9cf57e639e969daeffd7af76f

    SHA256

    41c97bc646f6ee99cb14aa05eb1cb44f023a018093a273a68c8974df25262fa5

    SHA512

    098ed253dc6051f106eddf3109cf956ba17b2c8c9c294593f9320bb37ea7e4d0c704a82566a8fdb175d293bedcb8bf4bbd4f5ecfee8a1516be9a9be574532424

    Download Submit
  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    2dbf1a5541e3f21cabe28f52cccc54d4

    SHA1

    f3e6dbd1aabb48fcede1f0865177870796686b6d

    SHA256

    51f7e1257c9e8fabb98ee9cc575c7b3bd3107e9ec2bbf719cc860caf64dbc401

    SHA512

    c81f12cdd5e86dfd1c21d17311375ec426954820516293c3053c619489155ca9ed1c40fd441b1cb0643300e876866807af37c9eacf541712532d53a4d52571b7

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    0a5b3d44a61c5c1278aa9359d9e3c797

    SHA1

    a55963b5cc94ce175414db3ff83488676ba7eb08

    SHA256

    4810e62e835f5c4346cc96331c5e71ccfe537fa8c0218bea6fd3199daf00e239

    SHA512

    5aa4149c07f1d97cb4da6b1c4359971302ec064b2453362856665897253df81f8168d692a9ed325d2e54d7274cee6eb159364cf352432c4ba9b58f8f5d529951

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    feec16136c110604840cb08cc07dd972

    SHA1

    c2fceb99a211a115760d3c49d79695b1d63ba5f7

    SHA256

    72e5b6f8a4bce2154978ec45fa159dd50070c140500abeed6dc6dbca595714bb

    SHA512

    4287664784d68790c00ab569f53f80cde9a404aa74a829af0f0907a29475e3bb74ea8205eeb0b3b778083c793ca89ca111dfa15764cc7e8e53ee3074ee3312f1

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    bd1fca8f44921479510a72dbf1efefa0

    SHA1

    3692a07961e502f4ee266bf9a768cfc1fe03102e

    SHA256

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc

    SHA512

    53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39

    Download Submit
  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    f42e8960735ca3b59e1eb119c518842a

    SHA1

    6917ab2b0d895021336e80b4ebfa72d290d93073

    SHA256

    9de49f102008eb68d27e28f8c249924dd88467d8ccd06db4756aa3da3868d68e

    SHA512

    eb0f473386cae64146261c0821bfbf9bb13b12c1899964d57356971605782f1f58188210c8374082a750c33f180fd47b993c09dcb4a4d2178752c09d423d5bd1

    Download Submit
  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    81dc638933ce6f34ac663b73e69f3c1d

    SHA1

    c86aaf1b0988dbfd97a523bb09dac9d24ecde5aa

    SHA256

    52c773f6b64342df658d154b98d0d25d774c01d72f0c1a3865faa14d98b4bf18

    SHA512

    9fcf7d7c7b1f214e1fee6d7a252f770f8dcdea804929bf48b1ef8fb71eea8588bd5e2217c1f5405f46b35c61365affbcb671519cd7312e72c734e3ea8c1a7248

    Download Submit
  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    351KB

    MD5

    9a10ca26099770d6bf49e6330d6787c2

    SHA1

    fd4e6d796a431111d092af2bc940552d68cfef48

    SHA256

    fc011b81ff285cc9ed42f1cc81a90b2d86729bb9dbb173af104d2ef13aadc4fd

    SHA512

    0273994073c2ac90683aca5244fd70a80614da2e2cb482819915036cfe397cd67f987610956caff931ebe957edd2155962af90fe6e0c5ff5e77fa91920b452aa

    Download Submit
  • C:\Windows\tiwi.exe
    Filesize

    351KB

    MD5

    17dfb639cbf87bd64b54338cc6e06033

    SHA1

    834521b914249bce2d0f087ad368c2e894809bdf

    SHA256

    879b9910fbcafa03e07642b12e3c5ff7b014445ac465a845fb277e7eafda65a6

    SHA512

    7ab24158f99f44ce57bbf6d04711b9875dc160663db6a22ef8e9178adcf496b31875a57faec25f1176d7301f422baab5c68730eaee94e389ffe57d52cb0bda73

    Download Submit
  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit
  • C:\tiwi.exe
    Filesize

    351KB

    MD5

    a2650b2ad76fcc1c07c07da44d1846d5

    SHA1

    5de5edc9601a5dde2bf5111e245a3073114389b3

    SHA256

    4d4b18d9a5a42a8793f1192547e26490e5c1dabca8d81c1280047d013b61f87d

    SHA512

    929e0d497e223fd5b6db45191b9fc38bc79a133f1a22bb69c00de8b0bc3182e17a135bd646e2d4230c13b092c82c64eb75bccb8f4034855f6323b0fa4e36a9ea

    Download Submit
  • C:\tiwi.exe
    Filesize

    351KB

    MD5

    0577d34d04fa1e89f8e54264352afbc0

    SHA1

    7f719c2befd1d3494364f2d2e1403f4617341644

    SHA256

    09b4746a49551b1c1cd7507beae81ddbaa3551c15fe68a86c600d9947252dd1f

    SHA512

    4e67df8b0a5e7e9ef1346cd7822280e67b7a5b8d5b2e4aa39d1c05df753641e145449d65152f388df1e573f8f627ae63d0d1e3b0cc14ec5ce29d5a6ad12f39e0

    Download Submit
  • C:\tiwi.exe
    Filesize

    351KB

    MD5

    a725fcaadd25990835b89f6a798ad641

    SHA1

    5fe88fcd53216f0c25fca9551c4de777588cbb67

    SHA256

    f42b4c42eb13ba45c0c03c51ca9ffc9f714028e17ae6ee6bdae0661ea280af20

    SHA512

    6030363427675538f426f75d479089cff9eb0f59050b0690307e3263d2cea1f3d69fa3f9ed7327359de6111a76e635ece6772268d239e9920692156bbbaaf81b

    Download Submit
  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit
  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    351KB

    MD5

    273dfe32b34aee34e040c89494cd61f0

    SHA1

    6e169084af17caccbc7255cec417a2910b174115

    SHA256

    aa1d7bdbe0351177cf70d6c67a8be67a275fa13a48b3902a685d0a77a0a7db83

    SHA512

    4c9dd6ee9a1c8362c9e08e2d0d2532989178455ffd313bfae37fb7bed442c284116c08ac034bf576269052636393d0127a7f47a30ff0d9d8421de62ef8de7b08

    Download Submit
  • memory/992-234-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/992-217-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/992-233-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1456-125-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1456-455-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-0-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-110-0x0000000003820000-0x0000000003E1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-124-0x0000000003820000-0x0000000003E1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-108-0x0000000003820000-0x0000000003E1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-123-0x0000000003820000-0x0000000003E1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-440-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-174-0x0000000003920000-0x0000000003F1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-99-0x0000000003820000-0x0000000003E1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1524-230-0x0000000003920000-0x0000000003F1F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1552-435-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1576-322-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1992-437-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1992-436-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2196-229-0x0000000003860000-0x0000000003E5F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2196-232-0x0000000003860000-0x0000000003E5F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2196-445-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2196-456-0x0000000003860000-0x0000000003E5F000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2196-98-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2304-231-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2304-175-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2304-235-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2416-400-0x00000000002A0000-0x00000000002B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2416-401-0x00000000002A0000-0x00000000002B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2488-330-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2556-454-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2556-111-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2564-404-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2680-407-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2680-408-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download