Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 11:02

General

  • Target

    7be5146fdbf1cc1f08f18b8277cca450N.exe

  • Size

    351KB

  • MD5

    7be5146fdbf1cc1f08f18b8277cca450

  • SHA1

    76fe7c65489686d70d2e8bbd25388aaf3d375a79

  • SHA256

    7bc3a505731c379a33dce2f4e3ca9c2ad2678b2b4040250ae6574fd37e9e193c

  • SHA512

    202522585e801532a812dae11a06af20f533f8e13f2813d4bb3a0d188a4a31bba0967ac12c756bfdc1e29a5a94ec1139ae002032860364e317db021d2b6c9212

  • SSDEEP

    6144:V/OZpl6YZplx/OZpl7/OZplx/OZplQ/OZplU:V/M6qx/M7/Mx/MQ/MU

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 10 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7be5146fdbf1cc1f08f18b8277cca450N.exe
    "C:\Users\Admin\AppData\Local\Temp\7be5146fdbf1cc1f08f18b8277cca450N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2328
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2676
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2232
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1792
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1364
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:756
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2456
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1676
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2284
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2420
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2696
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2860
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2296
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:796
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2952
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2532
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1516
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1372
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2632
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2348
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1664
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:804
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2920
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2980
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2340
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2764
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2880
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:768
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2768
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:496
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    321d7eb525a4e55f24f3d8522e44b6ef

    SHA1

    79017c3a2eb01b002dabf2832aead1f3be0909fe

    SHA256

    4817146ee0d534318ebf5d8260dcb9aeba0b702035fc5a6c7c5045b7500eb825

    SHA512

    d3069575d59b15de5ae2c7ea0ecf84482160ebbbe3b670b0c7f0dd6f3e54fbeabb0cd04ec878d997b92a709515e8385cf1ead5175e6a195c50f439fef829737a

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    27bf35d909f780e5844aa472cfc33b9d

    SHA1

    efb83f92aed826e82c0b507ee1e55bf3c7de46ba

    SHA256

    c89cef38d7a63ff1d0603bbe45307ff3afd908569ca409c854ee40f4602d716c

    SHA512

    8a0e61b07fde98347d850fce7749224abc770c77b00c5edb1c2b10e88babb4158d0200acfa19dbac3fa8bd4d8ef207880432a46d8bd14d932a54359a53f3d16e

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    90b5f75eece521c7e27b3d2b87a96993

    SHA1

    71edfc847622f78042c2da10344caa11bf2023b0

    SHA256

    5a6bed0df6a7c9fae1c494686325593b42baa2dec52361bcdb48f1af9c698738

    SHA512

    9bd98093e467523a09caec8e3f03022636d75e0f85ff2f7dac621f59c74186d5cc5c9da7c76738e3e9b6f7277e8c5d328016328bdaac1d1c10e9632a804f8f34

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    3fc73b51a8cfb578f46178a65ecb2fb9

    SHA1

    40ba52c632442556d293e807dbb954cf42aeb981

    SHA256

    4076812728a0addaabb4bffbbbf70bb8f4a1285f2f4eb4a5d006d0efc99d2e8c

    SHA512

    e0c4e88c5729564ed05dc695f53dcea9bf9fd16939912a1a721b43a842dfd8b7186a626ea612dd80e253eb076d85a6ac3a4db6839d28e9b9c8c9aedde55c100a

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    d8a21b1f4bc6d8f4a5d4951ae19b9f31

    SHA1

    53a91e467f5b43b815bf62b9de309b305fd5d492

    SHA256

    b7abda552213b574682e1e7bf797788e0da6cb575a63e625b1abdd9101a80e74

    SHA512

    474d21932eac1cc5d654ee5e25cb6a535de1330b200e84ea72a366d72da91d54dc7d372907c2235e7a43f0e15e1b6e2273ca6c94f744591b0dfe336629967979

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    65d4ac0a095f2067144b5058c0db7e6c

    SHA1

    bdff198b4e1e9766bf181fa82acfcefe5123f3c4

    SHA256

    f4d88bde725ea5972145576c0dea294acbce1289222223b7260350311829c68e

    SHA512

    6b6f030f555740e77131c0cdf6643d85293046cc1dd8ec0a42e1fd5d6000269662386830134f3ee716971d4b53d7f1160088c651f7c0e3e9b0e0df151ad37e2c

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    4b02e0d130a5bc741b258fc1d09681be

    SHA1

    5356d66bf4ef9a4cc13b3bfce5f374530cb87668

    SHA256

    36c76b5f191ce49bf1f52efcfbdc027e1952b1153c28c3375fb6b0b44708a9d4

    SHA512

    50960ada5cb0c37f8b912a5b4aeaed8d729d021c53e5595cd768a2e2337fb9726caa4db2b3b41cd9ee0347fe8bb7d5bad3ec70a4febadf581966af9f2c690fbe

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    fd657c9f5f3e333da4e15cd259ab8e67

    SHA1

    807ec44493ef406c4719599b7c515a3da932402e

    SHA256

    09fece695c2783e7d150b17a812ed0fcc12e6aaec924cdef2229ece024fa73fc

    SHA512

    ea96919559424ef2ae4635f8972ce50774816a7a6721d0ddeeefd45a9aa395c5303c07b96fcd821dfbcee8fcccdde96cc9316c6b6a6aa88a077e87e4a6895509

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    1d324145d7ca7728b18d2b3d9e38ca9f

    SHA1

    0f657139c1a080017b119b400c0aac9d1dcb406b

    SHA256

    a7812c8688525b91eb74a6fd98202299c1f67b6a5e9a1edc0b3ae55f18783ab4

    SHA512

    d79c113fd889bb2f364866010a7d6e0db95dac6cde50058c9a3e388d19235e088cade1d76ed1ad6f57d73085846cd993b1873b9457ec4e23189c95a75a475b05

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    ab0c1aa28fd3022940a5cac1e3152c66

    SHA1

    30af0a8991590555ceb781c06073489d11d3480d

    SHA256

    1e009bd7a5bc01ade14fc596665f65c00f03e38e9ebe202483a9df2d98361a40

    SHA512

    8526a9dee212d1db8d3b4e02ab6cffccd5ed1040ae6ad105df607f37a6b6d333ae5c3b2c460b6cdd50aef4195bd05a2dc67285cb57ac9ec8b2887cc992514b6d

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    d63b5727873d064746e4810eae91fb96

    SHA1

    a9839f16dba56732e4f10d9dff389af5ba014336

    SHA256

    3477d589b26086ab223dd1053d43d69207943a749ead6e8d5aa4f856e81f01fc

    SHA512

    c0e84ea391d69c5cf5529757bb2baf7c7ce11202de12c7b0d10af265cbea2b68d63f1126da6a93299dcc1ae4709a72f0f956da948bbd3ad939e17076d423b64d

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    e2b0639b491b82271394c7b3ff021916

    SHA1

    ff6faea2c325292cd09b5c12175041607d3a5685

    SHA256

    166cbb742d3109ffbf87563b135b18bbd05e43ca9896953c59890c990d5022ea

    SHA512

    e6a7341ac051af013b4bec9761c259af78d697591796f7345fb08589c65bce7f0a92487c22c2c1e3028b5388e6ea1197649a314e371bef433d1fc6b1e12e1378

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    ca5cf49701a8741a6e315bce4ce7ac1d

    SHA1

    5c58939d025efd21556cb1fa5105ca4be30473c9

    SHA256

    caea74d687ea2f77ef29844534659a53741d9449851bb7025a8d2bb57045a1d5

    SHA512

    80d9194368ada784d975e28fa8b7f20bc9d03b5b139f72e19997081ed3e436e46d1b8990b96f4ee634b0d757bdcb079d41990e71e4d809c33fb815a366ae43f8

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    6ae0ad008911d80080524f9091e23e40

    SHA1

    9e60e129d46c2af52c4b383b5dac8672ef42e840

    SHA256

    213d0df56d673be2ab0c82ccb376341708535d3ec4be99adf22dd3819130205d

    SHA512

    459268aedaaabb125ebf34d5ce6b519460f47284c3acab2bc6227688ff6f7ea7b17e8484561ab316bfd2a73f84d9fdcf80967a2120826bddb9bc4a71c6dad622

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    d3588462438513173acefba7b353b8b5

    SHA1

    9eb3374dba7e8e4e3d0a45ad9775149abe9054f7

    SHA256

    b604e7427de11b099450e1fbc0ebea38b15c071695efd9a281f56d32fa51783a

    SHA512

    0c548fb0158ee28c168861eb6a15e7fd977d175746f8fce8bef9109aa45ed02d9817af72185d7835fba7f223b01c18642b752e561b85e5f30bfe82c3d723cfbe

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    02dffa402c6558bb07e8e49517027fbd

    SHA1

    9b198aba62fc2a20b34c8acc8db2235a8e80c3b1

    SHA256

    56a43554fd7524b3173e457d8ccac4c6470dbaf4233736cf0bd8b637d5d52a89

    SHA512

    d95be9d48ff6ab917bc294bd0ed0e48548c34b052b245262ad940bc7767babf7aabbb2b424a70e66120b28dddfd72ce18e50a7f0b7c2b0a216c56f0f239d4b7c

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    7be5146fdbf1cc1f08f18b8277cca450

    SHA1

    76fe7c65489686d70d2e8bbd25388aaf3d375a79

    SHA256

    7bc3a505731c379a33dce2f4e3ca9c2ad2678b2b4040250ae6574fd37e9e193c

    SHA512

    202522585e801532a812dae11a06af20f533f8e13f2813d4bb3a0d188a4a31bba0967ac12c756bfdc1e29a5a94ec1139ae002032860364e317db021d2b6c9212

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    4dcff33ae03dd696ae2f580c9691b9a6

    SHA1

    8e360c72db20908a92fa80d1c596667510fd1cec

    SHA256

    39e2e778f6b9ce2e0ae4fe84b7879a907600f2eb4610653d7d56e0f53c194639

    SHA512

    877dbacd4ea41878e76fb5803108fb5b00faf9f57e3eaeebac64ab9ab1d32e72327125c7a08b609caa96cc440ef620f16865198020f93c25c32bc37ad3722a27

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    d80f6aac798a1199f83c9800134d6b76

    SHA1

    70943a80a5a7c6abe4bf6681ff13f8ced99e67ab

    SHA256

    d4b6647f937bff093b2b2c21d52f725ae9914c762d58bf4718c48b714dba8ea2

    SHA512

    cfb08935766985674d6ad32070b9ef0abaa82a265984c844c2f31cd04fedf36c0f8daa222a209c18212db22bf4bdb20ab421d289175bc91180adf86a56978e49

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    0a56ab80e1a5e40e434a224c058d0873

    SHA1

    2ed38cdf4d21b6efd805b65fc5f049e0a3616baf

    SHA256

    14262a782d55212e377095013a01c6d2051717f1724965103de13826c34007c0

    SHA512

    949125469619afc9880824a07a6d975d5e26d99c7402213b312755e7c69b4d3520654911a0fdf29d6d9229899cc0c515c9dc8f3432da3d47d17c7be146d06ac6

  • C:\Windows\tiwi.exe

    Filesize

    351KB

    MD5

    1152778ff273d793cfda6f028a23e53e

    SHA1

    b97b16090e7837f1358340c92212f4a1307567c9

    SHA256

    089d0fce462a635947583755c1cef0840c57528f61d012f2c1d48979c19dee88

    SHA512

    7715be297d48816f2e654328f2dc1555d07ed103b4ea30459bf4c960d573fb4b1622e9694ccf5f85676d679fab636967c4d2dd733dac670566a9ddfafe7e0efc

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    dc1349fb1307bb358006cf225ed6ccdc

    SHA1

    3dcb3c937e3d4e4b292958d3798b48679466555c

    SHA256

    4ce2ef2e0eb897f3ea9b090b1cdaa8aa7294b9374a2a7e3d8d7c1874709c34b7

    SHA512

    4ea7d3f4c0a4170bfc7d0c80690bcced952612363f4e63e9cfa44c568ddb8dae1d5c0d67044703c3e0a668de05f878b451463db868beea8d6c937a0031f92551

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    1b5d69ac43cafa39efa3b8e2746c4636

    SHA1

    00eb4894b876392055ae15f492043765a7992a16

    SHA256

    e79a50574052085d749a41aa674e0d6275713de8a0d87b9b6c4b9622cfdad24a

    SHA512

    b962d3df673d7a4179f5a4847d0e3cdbafd1da1def9b0a5cdf048498fa534e6eae97d4ce62e203a6d9102f84b1c9109349fe2d2ac100ccf5736a91a2792c6579

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    52c8235406c1b5881dde7b214e00b64e

    SHA1

    75d29238d0166161c9eb02460cbf0e4c572b928d

    SHA256

    ae53122c65e9f1b09149995f21167b2678f274ca5e0b03c39226f8eefa57bc42

    SHA512

    fb0c9441f6e1080ac77d15168c21279da696c26a6bb0c7a0c987a43cd5f228d7a2601abedb1ec38a7fa052e640e07cb03fe9500546561a20dcc4f92cdce15915

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    351KB

    MD5

    352c84dfd4eaf03955e974839c0fe4d7

    SHA1

    287be2ba10b36344581fac5a9f4afa4725e4090e

    SHA256

    721dca1cdce52f0681dae2120944661feb7234039dcc7ae2eafdf12c156f79cb

    SHA512

    a9438825218ab5e515ef0cec9502329fbaa9dc83fc31a6a67f3f0b1003ce54e2d1bb6f60ad001ac10064b2f8bad761da617791f68cc5292f98980520d54515e3

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    351KB

    MD5

    8adb86c185b16912dc4443ebbe5a2598

    SHA1

    e279c2c9bcd7bf1a45627bf3134a8557a7ce70b2

    SHA256

    f6af3a01de12ef7f05977ff8b855ba59215eff631d5a2734007fb49235445dcb

    SHA512

    715804b5e5bd1b1af93b537d4e6029bc401ae1bf8c32efba718ccf45436fff053c57ae3742ba3539fcdb39455239e87fe419f4c3e4c49d279eee950271c0b775

  • memory/756-421-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/768-317-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/796-454-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/804-321-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/804-324-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/804-322-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/1316-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1316-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1372-316-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1516-340-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1516-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1664-449-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1664-125-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1676-447-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/2232-214-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2232-169-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2232-217-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2284-452-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2328-210-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-124-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-123-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-98-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-209-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-418-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-109-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-256-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2328-110-0x0000000003780000-0x0000000003D7F000-memory.dmp

    Filesize

    6.0MB

  • memory/2456-442-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2456-443-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2676-325-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2676-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2676-258-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/2860-446-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2880-211-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2880-265-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2880-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2920-328-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2920-329-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB