Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:19

General

  • Target

    47431aac78883078912d4cccd311cc7d5d95fa6a3a04c6695e65bd08d8eed714N.exe

  • Size

    384KB

  • MD5

    38e3ae7675915905ddaa22ab49ef82e0

  • SHA1

    ca280221c4dd590270d54b1fea65dc6030c7cf6b

  • SHA256

    47431aac78883078912d4cccd311cc7d5d95fa6a3a04c6695e65bd08d8eed714

  • SHA512

    8b41b3acb8dbedbd5f8e276c2e8c632d74dbc756e55c992aa0417c3c64e1155fef77be78bd1b14d8f3c1675a1c8358585193a94a19abf7d970feb94aa9a9cdd2

  • SSDEEP

    6144:V/OZplEv/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/MEv/MP/Mx/M7/Mx/M4/MpBE/h

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47431aac78883078912d4cccd311cc7d5d95fa6a3a04c6695e65bd08d8eed714N.exe
    "C:\Users\Admin\AppData\Local\Temp\47431aac78883078912d4cccd311cc7d5d95fa6a3a04c6695e65bd08d8eed714N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2264
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2684
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2572
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:680
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1788
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2604
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:888
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1936
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2028
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2228
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2924
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2984
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2736
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1464
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2392
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2652
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2396
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1932
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1096
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2224
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1664
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2244
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2240
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2740
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2100
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2608
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2704
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    384KB

    MD5

    1e55d705e51204a49f2717d7399cd37a

    SHA1

    ef8b0e69abfcb07e5d2842434e6b7597aede9947

    SHA256

    ae096cb4e6652f4f7be0e55c13e7046025416fad8a81c6bd6a838b578afceb4f

    SHA512

    0ac16224ffa058aff56d3b6c98324f27a61aa0095ce1269250dc71c5715cce0a4a265fe2d837abfdbb30dbd6b2d0485432bed3bb7457afeb841ad183ef92612e

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    384KB

    MD5

    614042e31f462c2342ffe5c38b9afb2a

    SHA1

    23632842745caca35a2d007868dd9fb9a4884d12

    SHA256

    4c32adcef42848202c687a1cd64ef1d740b1d6b45b4ac9fca67de9de850550b0

    SHA512

    353c9c2488057aac3ca924f299183586caf341ca6b2db53834eba1fa290997d2333f46e38a0cb44a194dab85f4d6116377be7718fd0bd1901d76472edfc25ccc

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    384KB

    MD5

    4cc3aa3a8e4d608febc709c8cc7a5b3b

    SHA1

    b618c0dff17b50a9dae44a538ac065c2c4b7c915

    SHA256

    2ce1595a702b618541d0eb698fa1fc419e9369490bed50cbc814961882b21036

    SHA512

    e045c1585f40c879206912fd8694c609073fcffe5dfd7b874fd344e26151c40edee448f12b52873a255ca84cdcc4dad7abc2f5defcfd10c47bba91430c30ca13

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b8bbd8255ee4867dfeb957a51c7997af

    SHA1

    30105661b8a01ae608080afcc867c123287dfd45

    SHA256

    6cb2bb601ee9115ae25bd7b696f3dacf5aa42521560015e29f5f27d9dd575ba5

    SHA512

    807a5a58aaed5cb7284b294cd993eea08bbe331ca2506c2072826169a1b6b7258e08541f2b05daaf5bd5377c931a1b0f6545ac7e5737015ea58e1612f1262bd4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    1e3e47bdd0b7fea7e1438929366aba26

    SHA1

    33db9293ee270c6f13c0a9ae0699c979111cf422

    SHA256

    19fcca1d2b947809a99a3b708841d4ac785376456b2b41e15ba3b8382ab6f0ca

    SHA512

    deb6499a825831538c196a030c992f8ced88347e9ba6879a1d59e9897dba7abfe3292075d8c7544997ed1db14b9176976bf2cc0bf26717df456379b6fa59dbb8

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    384KB

    MD5

    7b84ff08c07303cc72adb81440b1b738

    SHA1

    1b5bb630f6c2d8418482adb233e6ad8e2a2bb57f

    SHA256

    7e887ecff8704408c8f14088d7bce4967b90ce1f38079ce62e31a8eb71531017

    SHA512

    fd5104b261637f9ab6b145cafec9841a5a7ff5a8e90af59e39d0dac561d91953c6eb4f1620f50962c397ae1c02ccb13ffdb7be7ff9b6b612a9e51dc3711e921e

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    060907ad154b6e07093f1382b0ee0a13

    SHA1

    d1a1403813502b4c3f77db53ef5eee51c5256637

    SHA256

    f2c577c069ad56945da754541c3e4113702522060bb631fcb967ebeff64a2461

    SHA512

    76948f2a7062f1d13ec182a4b3b229c78edc758be3f5be1f0e92305bb4a293c2e70b1e8c817e7178cffabbf7b2acbd2c8f40f882cf470a3469bcb922b97dbb2d

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    2b2ba5f79dbc0e8b2ed050d53f9e05f9

    SHA1

    a7207f4788c6c6409038bddfeaa259fb741a7888

    SHA256

    799d506c1e51420eb9bb6c7037e3bc2905a979a08ed26f2e62535d622699394d

    SHA512

    d46ee50b2d3f90d030982aa682a031ebb6d772705444a2e6f9aadcbac786110923b809978f7f4561de5e6f87a2dcec7f06d6f9d7dabc97bcd9cec0801bf482aa

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    38e3ae7675915905ddaa22ab49ef82e0

    SHA1

    ca280221c4dd590270d54b1fea65dc6030c7cf6b

    SHA256

    47431aac78883078912d4cccd311cc7d5d95fa6a3a04c6695e65bd08d8eed714

    SHA512

    8b41b3acb8dbedbd5f8e276c2e8c632d74dbc756e55c992aa0417c3c64e1155fef77be78bd1b14d8f3c1675a1c8358585193a94a19abf7d970feb94aa9a9cdd2

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    d57a20cb7b0101a3e7a056a020af9c93

    SHA1

    95583804c081d59342ae144d814dfc13b4690fef

    SHA256

    a1d3c6b92265f9b150bf04a6ff36b37bce34e56595120883153c30742fe7e23e

    SHA512

    bc127ef0024754bd0f7c0e36c51e53b3cb24c3df2acd6ac9ab10870c0a8b882d1bf7493b4dda9b8f075bbec68a03ac0f4f7aa12a62133edaea5a050cef09db72

  • C:\Windows\tiwi.exe

    Filesize

    384KB

    MD5

    44f2907f9d0bb4e6550a63fa4a08c8ea

    SHA1

    d0a22fdc5a89cf8428ae4452d55f7eac2f82363e

    SHA256

    0fce1cffb4387856cdf812009686475175f89d542ab3e6d5d7ed7f38348066a0

    SHA512

    8ee6a9f1435b21fa6e948f810fd4f19ac66cd07f7bc7cdd7410df2d03c74f716094150807afee5aad334983413d29e1bd1a0e7d7bf019d80245c2fed894fd92a

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    fbd198eb36a3c8de23fbef106e75d30d

    SHA1

    10fb23b3cf47e9150dfacb3f3daea29af5376431

    SHA256

    8cc6ca38585abc1f65b73fd8c37f50281fddb4b3442b19acee35364dc4280915

    SHA512

    54dc2253f7fe0e97a12e25fcfcddaa94cf395addefd73b295ca346514619afc223f96340324dd1b368378e0b7115c75374eb3cfbae61ff3d0f9d423564dea915

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    384KB

    MD5

    da4fd8e0a0f781884497eb45bcef257d

    SHA1

    0cc4e7bd9ac3c8c02726a29abc20e36fc0a9a24b

    SHA256

    227c422aefe77577801f87d1c2aeb03dca5e8ecd03bd29a8634bede68d764a92

    SHA512

    74d5470a1718777b6769fdd55a690b2b3bec62dcacf3349a746823c6d313cd93e31ec85a3b221628e10853274cf7329d50c2b24084b24e2f32876fdeb59f6c9c

  • memory/888-245-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/888-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/888-259-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1624-382-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1632-243-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1632-258-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1632-254-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2228-346-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2264-109-0x00000000034E0000-0x0000000003ADF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-363-0x00000000034E0000-0x0000000003ADF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-390-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-98-0x00000000034E0000-0x0000000003ADF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-262-0x00000000035E0000-0x0000000003BDF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-379-0x00000000035E0000-0x0000000003BDF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-264-0x00000000035E0000-0x0000000003BDF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-111-0x00000000034E0000-0x0000000003ADF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-242-0x00000000035E0000-0x0000000003BDF000-memory.dmp

    Filesize

    6.0MB

  • memory/2264-274-0x00000000034E0000-0x0000000003ADF000-memory.dmp

    Filesize

    6.0MB

  • memory/2392-373-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2524-257-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2524-161-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2524-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2604-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2604-339-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2604-244-0x0000000003330000-0x000000000392F000-memory.dmp

    Filesize

    6.0MB

  • memory/2604-269-0x0000000003330000-0x000000000392F000-memory.dmp

    Filesize

    6.0MB

  • memory/2684-263-0x00000000035D0000-0x0000000003BCF000-memory.dmp

    Filesize

    6.0MB

  • memory/2684-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2684-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2684-397-0x00000000035D0000-0x0000000003BCF000-memory.dmp

    Filesize

    6.0MB

  • memory/2704-336-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

  • memory/2740-376-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2984-377-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.