Overview

overview

10

Static

static

3

33376cda4b...cs.exe

windows7-x64

10

33376cda4b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe

  • Size

    351KB

  • MD5

    bd1fca8f44921479510a72dbf1efefa0

  • SHA1

    3692a07961e502f4ee266bf9a768cfc1fe03102e

  • SHA256

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc

  • SHA512

    53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39

  • SSDEEP

    6144:V/OZplTYZplx/OZpl7/OZplx/OZplQ/OZplU:V/MTqx/M7/Mx/MQ/MU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2268
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3584
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3664
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2008
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3452
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:5072
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2480
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2188
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2360
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:5036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:688
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1528
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4580
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5096
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3732
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3228
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2776
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:3460
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:3068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4584
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2464
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1644
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3320
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4916
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4660
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3312
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2556
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4536
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2940
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:540
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4764
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1436
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1784
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4796
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

9
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Tiwi.exe
    Filesize

    351KB

    MD5

    1056af563d62581a24dd381b3f40dbdd

    SHA1

    3f5aabc5a5dbae63eecd1818b42bc63ccacae489

    SHA256

    f07d9b29d3b9e8a6f6b6aaf6136e130f9dcbfb9a3ece199cce290a5e5d9117a7

    SHA512

    8b809108b63b96a553b7ddb48aaae0e463fb35f02895d91619fadd769be41411559f1ae140d4194ce8854b8c225204028a26a228ef90d1e1c110ec5db1785386

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    68ff46d5874cd42a446047e767217023

    SHA1

    50c1148bdb018678d6c130290407dbe66463800a

    SHA256

    b3172d3a46aa74e586b4e6371c21076025104a1a47d2deaf716405ad833fe916

    SHA512

    fb22f78c45fd702a8a2c66063222ff0645fa23cd8bf9920c0f090c7b78624ab8082b3d179d8e2f19eba09a001e28df9476bd412fe9a7ad9bd963c2c7466dcda9

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    fb8c9a97b5b6283fc33d2c19793c9ee4

    SHA1

    6b2a8b46347819d23c8f3928a343d3b644ef4ba4

    SHA256

    0f584cbad7557e132625396b02db174de35f7d5e8236c546a9f6f7cca64ff16e

    SHA512

    c998e6a685dc1084c766055555267e8a4a0a75b751de117d36170f85b2bd5fa72010dae060dd8f48fe3f520f7d53995dd7530ebb38d48cc5d7e44de285f750a4

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    9e2f3e4b9f3aa0302ba39142f11e8c7e

    SHA1

    ed9a3e6d902b22b922b508c56cbbe48141dff3cb

    SHA256

    ffb678e80436eabc27f31ada2fe673b962b281f65e80844e7039e45c03318b3a

    SHA512

    5ef8fd4cd73c0d5a2e35d77a887582e06b0333aa9c92d2e531295ab6f7a3e7a59ea7ca2fd3a84ff0cd017d2274203e026b247f25e1bb3d1d76fe2e8f06a24293

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    2e77c2219963c11bc9cb8c8eb293c5b9

    SHA1

    681cb30f40d65ef711ac10f737ddc051f4a572a7

    SHA256

    ce7e48ad60aa5ac768c371aa73a965c7b3e83bf729df9f5ed350e48659a3c8cb

    SHA512

    75eaba96619d14da69d4afb03d60729d3dba35ee3ed3ee2b1f23419c8c89f9d9862876b781dffc415a421c28b74aa7a728e6df1ccab549734becde1123e563e4

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    Filesize

    351KB

    MD5

    591b88bea33cbac9113824c0c5dbd5dd

    SHA1

    63b81b974a8ae184c159b39349efbbaa4e8d55e9

    SHA256

    75753f3a5c393c1afedb5ce25e36a33a456c11168e3792559917003e2694af79

    SHA512

    1a623dac65e91323731d484370bff467a540cf63e9c86b739f52deb8970447a6cae6b5eac2022e789bf814bdf65a153171ae10b779d16f05c7fef9eabbc4ba22

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    Filesize

    351KB

    MD5

    9ab2f4f2809ced686cb086fda0bfc041

    SHA1

    2f96393f1dc7f6a581ca84d69f7e80244dd3243a

    SHA256

    ffe3c2c4864573097115d41a7bdaf5ecb60031a60ecd617312cf2ed237f91e53

    SHA512

    5d1b694a64d471d8d036e0213a5aac42ce7dd2fce723cc9910fe2dd535352c239ee9cc0fc4351cbf3434d61e0fda1b4a4b5670d8e429dc6d84eebda979c019fb

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    561ba6a568ea555c3853e910d60cf22e

    SHA1

    910e30aa4749f9079a7d0aea482c2f95ee15fd74

    SHA256

    7888f5487d982aa41dcdc943aae9a866d2c35ad4808325e34fd136da66f03898

    SHA512

    46c9353ef7e298dd8f84f8ccc9259876e4dcdab8004db8587b3dccd646c2e6bc1497266405ab996740b4c4251b3f985510b0d0e10fb43b321a75f36499e2e510

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    fb61c22bbdc2d0f7f2b87af3d3a3dd08

    SHA1

    5b965c8255011f1d8f798000fe41428a25586e8e

    SHA256

    5c9138e96e8722fff7533df47c9751c4e3406f113f4c56cd875faf76e3404005

    SHA512

    44e8ae044ff02e68ea2d8e750820b99bc80f86d6c5b1d37e337daeff6fc15c77e1bd9b33060dc4fe7b9a1fce21e4b00fd63d4e6bfba0b5537d80958d43b8978b

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    8ce89b85a92fa3a473120a0c93da69f9

    SHA1

    3634a99f2e6aa069b07fd5eceea3f17cf753ca82

    SHA256

    3424cd9c56383be8c4a6ce26bf77f1a17aa839fe4c5d1cc0fe37214d8be545c2

    SHA512

    28cceb1e947d6fd987818ccd77cf80e24fb070bcc5918970fc3fa0600a0362e631acb7480907408737d34c0dcbaf7664e542d7f2670f8a13386be67f276df92c

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    Filesize

    351KB

    MD5

    abe570ba562afb017a93d4ba07670f7a

    SHA1

    393250a7a8094bac9e36f058ba128be79d58f12e

    SHA256

    fbf0a87e2fb810aaf651224f783900a97ec0ec1baf6651c71b658054662a62f4

    SHA512

    02feac0a5c6ec075318f36b65f03a24650fec9f474a88803d464c5fded786411ed4fdfa82de4661cc2a1662174118fbb78815bbc08203156df9a6c0abe98f213

    Download Submit
  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    351KB

    MD5

    cb0e7ef93e9860428798848d855d5b49

    SHA1

    bc740d5c6a8d20c7d7fe00bb2e4a3ea63b1da9fb

    SHA256

    198163e6c161799ff61fbef0709e86730423b38ba0755bbc8496fb0470e6d6b7

    SHA512

    40b3f14140ff46f7ed7c3bb7ae7d8b0e4de9ed982b1fea8d55f7d65418d1cc4d2fa78969bbae2fe2a615b259b927859c3201d5a77cbd1553480ac84cc28c4d39

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    351KB

    MD5

    14e7cc9f0deb00e05843a314ea747cc9

    SHA1

    f44364dd04c7766102fec459ccbf7da33cfe5d56

    SHA256

    c02a7dd48d2e38133b7be1f79c9c8c67857e6ff10cc8da9a37f718cff1ecd1f7

    SHA512

    4638619980684ad3c0c8e988faf9c591096a2d753d8d75b4f5ee0a9aabe6e92d0802490becf93bf935ef391d58d158f99fd91f529833efb31a27f77474c58936

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    351KB

    MD5

    bd1fca8f44921479510a72dbf1efefa0

    SHA1

    3692a07961e502f4ee266bf9a768cfc1fe03102e

    SHA256

    33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc

    SHA512

    53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39

    Download Submit
  • C:\Windows\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\tiwi.exe
    Filesize

    351KB

    MD5

    915e7393a7cb889ab8e3f7f840459b43

    SHA1

    7e76955c1ff751f655cd6a99704f09cc2c6fe40a

    SHA256

    d5a7266f1155741c33ffab07756bccdf762e575010d08cb16eb3e6cf1cba9408

    SHA512

    d0e2de8705124ba6bf8de1761b8740a7205e1789402ea823383b461c24654d4180fb187fcf6d4c985cd800f7c2c567082fcb70f33a36fc509c74dd2bda4432de

    Download Submit
  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit
  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit
  • memory/772-226-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/772-257-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1528-102-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1528-321-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1644-336-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1644-325-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2008-267-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2268-303-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2268-440-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2268-0-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2464-324-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2464-308-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3068-219-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3068-198-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3312-306-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3312-322-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3452-452-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3452-305-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3460-147-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3460-197-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3584-307-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3584-96-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3664-191-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3664-225-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3732-323-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3732-335-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4580-256-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4580-264-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4584-227-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4584-451-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5096-263-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5096-313-0x00000000003E0000-0x00000000009DF000-memory.dmp
    Filesize

    6.0MB

    Download