Overview

overview

10

Static

static

3

9a77a96195...6e.exe

windows7-x64

10

9a77a96195...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe

  • Size

    91KB

  • MD5

    02298bc71b17e3cc682468a9e5c9789d

  • SHA1

    ff10519760f8a8ca6b4604c47aefb2fe67f4efde

  • SHA256

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e

  • SHA512

    15d5cd9c9d154932a9adc98357f2f0b9fdd15e807a9544c68d312b183b5dcd9fef08436f8422d855be33bd3a538e0f126fdaaf5d14902697bd1c906cb0a84169

  • SSDEEP

    1536:IFAutcCNS1mgnd2y1nrPlGiCcCBEulwHiFAutcCNS1mgnd2y1nrPlGiCcCBEulwN:IpWC4YgBPlGiyll8ipWC4YgBPlGiyllM

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 45 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 54 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2380
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2516
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1776
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:280
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1996
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1912
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3012
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1656
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1236
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:788
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1732
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2416
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1616
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2244
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1084
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2532
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1572
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2992
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1716
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2724
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2176
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2684
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2340
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1696
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1984
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1668
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe
    Filesize

    91KB

    MD5

    8d5c5ff4691b5de13fbc0bea3355a6e7

    SHA1

    51a07f908788ffa809c41f13338cb22751b6bfd9

    SHA256

    831bed176f38c0ea7301dac22970e7a53dd0df0fd1a1b1d5cf8b74e8ee78f181

    SHA512

    829c3e1481231b5a2c9690214fc4eb7d94b9e0303d395a94189fa1d1d9f5a362d498e92c7a80bd8c585ad1c6df96fbb82105e6ddf7eabb0ab677e849e0223b91

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    9421a5795c38f8516e37e1a1bb67ffc9

    SHA1

    c11949ac0eb773f04c965fdf9bd2d9b25fbc2ac5

    SHA256

    30a1548dfa685b1cee484ff1d34d82b3f3480e02995e8ffe3bc621443fa67d0c

    SHA512

    e005c81663316a533e1d5c0a7e03f1a09c589a948f2c24fef97d2b40f36577251519b08a861bd10c087c4910ac52e2d4787cc611619cfd098072c291332d9955

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    2828519436d7bf8e6fa361203e0c18d3

    SHA1

    60bbca968a20828b8d9a42df0e88bdf66d654a63

    SHA256

    f80c83163f7fe8e2b817c45f52824c1c3b7862cd5f243f2c24851a4a7186c986

    SHA512

    fee621caa398087f0de5785cae7c4bea30f8f71bc0e7cb474bdb0c404df0aef6598ee511ef83ec88ee0e1fc5c0ad2f633b3f6ff623151d8f2b41e64c2cf93082

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    ee1071158a002dce06d5ae87548d5675

    SHA1

    89a63599db469b42ce780dfff11f0eae5e514a9e

    SHA256

    e4d33d88c393e5755fb23f36bfb1c37aca34e6d6c272f5997d7fe0e2b39a1b23

    SHA512

    5e7630fa8e5d820c0c3ce8c5efbed8decb0f8cb24ab7b247deff999fc3aedd1d7588bee8f0a41946d821fb7b56b6e55715714fd92dce1fcf2fd8f3b78c05de1b

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    Filesize

    45KB

    MD5

    375c09bcf0611952e34110f41150f977

    SHA1

    78dbbd18f2756700d167f619ba994098ad140329

    SHA256

    899a6b525ecc081a87f61825fcbe397b31762e3db56db2cf728b750d5e7925c8

    SHA512

    c6e3b2ddbb047f9587e5ce88d13a1dfa9acc5807d5cc366fbaa763191d1fb794bf0bfed723989e725fb9e71619d4c871317ecd987faaea6387f8eb4d0d00337e

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    a2f3d29f97fde859630f21fefa5a0c4b

    SHA1

    27bb5a994c8227f035009e0119fc8e4e5ae3e8ed

    SHA256

    3c94f3d5594996f26dbf250775d4b603fa83fa21c85126db593a1d323e718c02

    SHA512

    f4e3bd7ea88fc8be0bce3e619cc90e0b627454bcf45ec5a141aaea17cc704fbab165db5cf3c52fb8af085272a518c4ef16ce147e212895332f50b441963d5e57

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    8c4fb99cb292b16b8b6cf544b393fe37

    SHA1

    383cb069be84073d2f3d9cbd3155eb1772fde504

    SHA256

    680d9c9e0fcbea6c0ebc91f04e82e7fbfee9ed8d277e3007a551511453311361

    SHA512

    e8d4c2450139e56f3e11658bb5b6584fc46c124746dc61e83606bae3272c1128a5b803a1e37d7fd96479f10acd305bccbe7edb09508e0d7b40a3d7dd7a0b574e

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    91KB

    MD5

    db5f7b95270d85e0addd3820b7affdac

    SHA1

    c1674e8c92fd23a807330a746c7fba7715f1289f

    SHA256

    921ab186fb3121d78bbe84552a82b99b8679df1a9a7aadb375ee2b62019c1469

    SHA512

    fe19cfeb89544180ed8548a9b6a952895d0b4a6356780f6db29f2f04b804473d89ca754912537a2db38efd8f1add5e3c50d4ac98610c847445acdd5c0dc76d2b

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    35bc85ac6be1649e5c8c9ea0959e5790

    SHA1

    b0244fa41b2a5cccb814e1fdf486d2779721819c

    SHA256

    8139df09406cb646e7cde30a8f14e38b1316db44d6c738988fe02d7d0deff1da

    SHA512

    2b4c98eabab76171664f73c9a6392e192bb41d718778e314ae3467aa08ff388609bc3065a0f4a4b169eed93ae70fa91f8bd8f8e6256614e486ac0d9fa031fd26

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    4c0bc555a2869951b9af15ecf2f97103

    SHA1

    16e39bf7c1a8213f52bcab1b1c4530a72ba91b8f

    SHA256

    58ad9f1a94d61267e4e64ed1b9126b45215eb5908b31339647eddaef022d727a

    SHA512

    0587aa6a4c9990bb708fd659b8389a72ec268087e801f7815899a0635003b9c9735cb5c06ee71f8cca503ec2e3dd85f7a7e02b32ebf943347b66c3cbb2370701

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    43185755fda6043988666c3b8df9360a

    SHA1

    31ba3bc6bd4327e9304e5a769f1e054009bca27c

    SHA256

    89a8bee8c4678ec34c67c5b11c4f3a17228e98bc88ae8e6f603ad96fa58dbbc6

    SHA512

    3e4a7758141759d5a5ea4af20729b9523e49fbe0a1319dc9166f5838e6ae7d9dc1fc009f3f23c9d2a095bfa5f8e4924fc8410cd7506b5814b1ad16c85a18a038

    Download Submit

  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    02298bc71b17e3cc682468a9e5c9789d

    SHA1

    ff10519760f8a8ca6b4604c47aefb2fe67f4efde

    SHA256

    9a77a96195039c211b22e821183f47a501f3deb402b5c03b744f738150a5626e

    SHA512

    15d5cd9c9d154932a9adc98357f2f0b9fdd15e807a9544c68d312b183b5dcd9fef08436f8422d855be33bd3a538e0f126fdaaf5d14902697bd1c906cb0a84169

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    6754a8fccd0c48a862ce5b1420f1d22f

    SHA1

    9f1b0d1180015d217df93e684ba581b24f12444b

    SHA256

    85f2f9c509b9bbe5abfa212c9ab24467a369dbefa8f1e93e043993ac9ec4a06b

    SHA512

    4bc03e986b2fef899e9eaf1d335a3ba9b09276f6767e32c647deb49f3bf3cd89192b28a6cfeca7111bb45c145f33cf61ad9ed097caaf99bbc74068837b452b28

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    039e11addbf77bea19d3a6f254e1303c

    SHA1

    ce9c7c962737431db78564b9577713793c865293

    SHA256

    b6f9b4a65d240a567a74c7ba31d751ac096eb8c37ffad28c21b63c029c228122

    SHA512

    3d0852b3182b25f8ab9fe5c46c907dbf7dc125a7e7c17ddec0af7088c80c42f93c7d96fb55916c4d009dfd0b8ec33c7a6007c07f62dff919603f877478798d0f

    Download Submit

  • C:\Windows\SysWOW64\tiwi.scr
    Filesize

    91KB

    MD5

    cdbd3c67c8e0feee72950f266fd3eb46

    SHA1

    eec38494e394d8d2ff748ac39eef36f93841447e

    SHA256

    5da0716d585c8df5d46dc8accbe0913bef9aef08fbed2ad7db3d8271e78f5d8a

    SHA512

    91f6944f9c306f51fdb2e7f71ca28d4dfd2299c99fc1f7513218c8c2494bd12f04a3dad3a7d8eba7447d73cab9ba9b65113c6116ff236df3f7667583e4c7dd33

    Download Submit

  • C:\Windows\tiwi.exe
    Filesize

    91KB

    MD5

    360dfb8d61e8c486aa7d3d463d7bcdc5

    SHA1

    ffdd36cef4c7c6c39b0b33f67fc0526485fe1745

    SHA256

    327bcd669f8876dabfca9ef005cb9ee043f85afdbd9e430cff063a5d3220b92b

    SHA512

    0c23505d5e00c341b6c4c9cae6667d2ae604778e68d828c6febeab8e5a9997e52caf0d5283cd60cebefd7dc4f177e1e39323ade799b0645a4d2ab3c44d9f0ed3

    Download Submit

  • C:\present.txt
    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    6595bd88b12dfe085576f6890c07f568

    SHA1

    df453ef3504c8f84f76e1e262fd31d3862aaf7b5

    SHA256

    e742b3b55790e56ce7a3fee804d6df05c19c8498a157660252b4ad61e9ecead7

    SHA512

    33be378d1f18d3a3a53d914488968af88bdebdfae29f63728512aaf9e7815be250e9720ac8897e673be33a967786009eec4755338c60e09607b4acace1e31faa

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    bede26017cac937711c9b81cf1821ced

    SHA1

    c4868ad7d37e31480c3dab0cc68bd2a15f3e7fc1

    SHA256

    049f5aacb56c886f0b022a13fcab1eb0c4e5bb37595a19fe1459d627e27e1443

    SHA512

    32c60f8309be5801ad6147b34b5bdc995d39cb9f0b7fbd0713750f58ddf9f44dce508e983756830e11ae0ea59384a688d1e358df46564814bd91e1ccb985f4a4

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    d6d585601a53d84a31423da06c178f80

    SHA1

    7521f86da021951550f7e00c0df3ac1af215c391

    SHA256

    013ab1da821708ff8cf1431d2ec7b294bc8a6adcbc0e1deebcf4c668d9034ffa

    SHA512

    d8ef546c61314484b4b9bcd113c5fdd20b633c4ba7be38e2829a1706e04fce724a48121d0266dc4ddcdbe73e179fe498a2fbd8b65709ec5801e076178bfc4e50

    Download Submit

  • C:\tiwi.exe
    Filesize

    91KB

    MD5

    11ef99b75edd5edcbec861a7be6245fc

    SHA1

    aa055939095f2886a99bb2029b5fe740badbe4b2

    SHA256

    8ae2b9676e91677da17e32b57088678e166b18b69b6c245c87dc9396d292b0e5

    SHA512

    1e2aa9ad692a2d60f53bc714113b82c4800d93e9790d643339db915e22b7cef1557b47fd0eb02be03e994bdd238d99c5a169cf98409af9855855dc36c7200e93

    Download Submit

  • F:\autorun.inf
    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\imoet.exe
    Filesize

    91KB

    MD5

    806736dadf1f6b00f84a226dbb47ca96

    SHA1

    66597d4f3062f0854a1361a1f8ae30c24e82c214

    SHA256

    4ef2ac427f1bb86404432c732b251ec3e55ff0d53851cc9532c70622ff07a5bf

    SHA512

    b0740905f86c36bc116320ac821afffd0e87403dd03b9e53d799edd44d92d6ec5113dc7bc842fb5b9677e7ea881d406ddad58770a2344b5d0d5cca6d932ea3a9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe
    Filesize

    91KB

    MD5

    570a11823dc8a9ff8feca3000ef97d71

    SHA1

    d0b05578274c5e1dbfcb722514187e04bb1cb4f6

    SHA256

    9e41986bf9c4a65d0354ce986f02a2609ed9f5a3933f9a8a1fed045726987b6b

    SHA512

    a5e4d53e61667a82ec099d313c025eda5dc7d7141d175d27602b9e3f770dfb42e338324ef5dc28f4b4d8bc1aca8ed23fdcb882f8b181cc88e9d1a520435c503c

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    9e74ac366c374e3d3986904203eb74d9

    SHA1

    b26a45f0763b0749f194ecf4b330045243d85af6

    SHA256

    c71f33421ab8fc92ae69ad1e93b01f08171e73f37c4c8bf122feac98dec6916b

    SHA512

    f232033f61e424b055e901a9347d6294f7f78de489d6be986fe2475a367812da99de78a7dd175c0f4f0d894214c6df7659b729408199356990252d6604c8b265

    Download Submit

  • memory/280-262-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/280-256-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/280-255-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/788-261-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/788-264-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/788-272-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/788-263-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1084-352-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1236-237-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1236-235-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1572-353-0x00000000005C0000-0x00000000005EB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-456-0x00000000005C0000-0x00000000005EB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-268-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-433-0x00000000005C0000-0x00000000005EB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-133-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-460-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-318-0x00000000005C0000-0x00000000005EB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1572-418-0x00000000005C0000-0x00000000005EB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-442-0x0000000001D60000-0x0000000001D8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-401-0x0000000001D60000-0x0000000001D8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-257-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-374-0x0000000001D60000-0x0000000001D8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-459-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-372-0x0000000001D60000-0x0000000001D8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1616-123-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-350-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-285-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-213-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-221-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-458-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-373-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1656-281-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1668-443-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1668-447-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1696-384-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1696-381-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1716-428-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1716-419-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1732-322-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1776-218-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1776-217-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1912-364-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1984-441-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1988-455-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1996-274-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2176-440-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2244-317-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2244-316-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2340-143-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-462-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-448-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-376-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-380-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-468-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-461-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-343-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2340-279-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-147-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-104-0x0000000002660000-0x000000000268B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-98-0x0000000002660000-0x000000000268B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-122-0x0000000002660000-0x000000000268B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2380-99-0x0000000002660000-0x000000000268B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2416-388-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-181-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-355-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-432-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-354-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-100-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-280-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-457-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-284-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-361-0x0000000001F80000-0x0000000001FAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2516-214-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2532-369-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2604-430-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2664-375-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2684-453-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2832-402-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2832-425-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2992-359-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2992-360-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3012-400-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3032-422-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3032-382-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download