Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 06:05

General

  • Target

    63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe

  • Size

    384KB

  • MD5

    2b9ffc7e6cd8b47925aea8d5bdcb6d00

  • SHA1

    ed9bbedb791fad104e93a47ff059f0b1efbfadaa

  • SHA256

    63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e

  • SHA512

    78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

  • SSDEEP

    6144:V/OZplx/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/Mx/MP/Mx/M7/Mx/M4/MpBE/h

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
    "C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1788
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2588
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2984
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:892
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2148
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2844
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3044
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2464
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2240
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2692
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2836
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:688
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2192
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:548
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2724
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2880
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:672
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2100
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2660
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1832
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1900
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2924
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1804
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1636
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2032
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2932
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2648

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          b4f12dfe876d5505f76e24ca9189fa88

          SHA1

          697c3acbf7e8261ec8487748e78f08fd9ab4bb63

          SHA256

          355fb78238f3eb1ae4b45c74ec061d765a9fdeded0b19844884ee22395ed7178

          SHA512

          310b0af1050b2a8785d3998ca0890b10b82a3432d5158966a3772320ee4b84f8b2090ff230b2e5932723a6cbeb603e8c35ccd7af0ea090fe4797d37bd3cd1526

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          ce9daa21a6df6e3c1bd6322342688d1b

          SHA1

          076328a1d5321fb00ca5c69fddb8b57a49774daa

          SHA256

          e5098c0a286e0407c9e3a00f923dcde148624be116e85c0c4e3536046c443053

          SHA512

          12ceab5852e20619cd8fbfb4a0ab6cb5744b4e5e99b4d79c6fbb5cd7dab3579d68c19d8dc91f33aea5c389be6f1f9dfb7f262f38848c55b09b074681c2411256

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          a002c235ccb44bc08be7cadbf84473cf

          SHA1

          c3ab3a8abb62de2bcad645d0df85fecb5ff1a21c

          SHA256

          32191310cbed9022d12dad8974bc7a175ee44d6526f38d297b840f00ff941608

          SHA512

          506d480beacaba882bf2886f33b7f660070070c7ba74b5fb600c44f22913aba1e81c296eea9a1639d0e4a7c045d3c12b3754b7619817e42f1a560795ebba1e33

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          c3dc22341751bff440fd20436ce14273

          SHA1

          5f3240138e77bbf1578a8f1290e0efe41bec38d9

          SHA256

          554bd5883223e0c1eab19a9552250ca0cb48b81e6aab63a63ac468249cb702ee

          SHA512

          d0994f8b87c09e10743c33872f5661641e9d7832f921768acf6f7c1c1e911194d4c2ef0d5d597a0a79b01fcf0570c9afba6c047dd7146201725ffb77fe06ce16

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          d84682b3b2b515e7b9c1ccd4f1bdee58

          SHA1

          65b3edbd499e0cb31994b92d33709895441830e0

          SHA256

          adf13f9818a6aab59fb06c1b1aa30b4fa7d845673445fea60c3f268f5bbc69a7

          SHA512

          eb8ebd94a2adadca5132308fc6ec2664fc6a4f18cb99d3738ab9dd385cad409a38d76051db1a498ffe538b428a9797a089f950abbd31ce3efc8630d9e6ac7f5c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          d2cc5468cab3525d05dd7fed448dff23

          SHA1

          78a023d6e3a880ca7224f2ac09909092e6820348

          SHA256

          f7a1f0290b75d1a60aebe7f4db30ed1e0cb530a2a7e9ca279b15fa26876d250e

          SHA512

          19ca710095bddd11c64240d91abcfad4633743333d72ca1dbbb1dac9727374c03c8ad6759bd752e66419c2c84b6d2dc560e7724dfcb30449537ec3ef45048c45

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          b393b949aa4ce54beb154e5ecdc45a0b

          SHA1

          197d7bd94bfb3bb7be0fa200bdd7ecfcdad5d575

          SHA256

          c100e062aa405ba9e9c013446fb3946d4aa6e86bef4c8d23f407536aa183b96c

          SHA512

          5ee04a7516f843ea01f6168b7c9b73083470218dde3a7b14574694d09ae69178fc005a89f7f47b8f3e45a2926651e70af105cfc6c43ffbae87a8e3f3a9b75108

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          e0f006a7348bf3184ca33d694d98c338

          SHA1

          3ce38e16355f8863be1e70e851b2df12cf22079c

          SHA256

          5f711e45b3d73e037cc14dce6780f9a8b91651d0d30706fad0b042e17d3dd029

          SHA512

          0bacabbcf72fc2bae1bff1dc1ff822ee7039a974185ed394b28caa1c6c845335569add8e69d22b1281cff2463ccdbe8ea0b1adfd3a4a7389a70ec7bb8ac14f92

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          8e426434b0eaafbcc223e13b3353dab6

          SHA1

          4587fbd362ac9db17c14ced825c846b6f1ec4d6b

          SHA256

          01b0520058443e0db4d811ab125f6b6d5d18a48464de65b0656a141182fb39a4

          SHA512

          0a8cc0ddf4a6b0b7683819b5ca981a0d8468092f9b0aa1e3388cd18ab9cb45744fe9cef3fe72149752f17fb2161473f72c6875490bbea4b51f20e2c44d86f8f4

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          d5da6827c5511adc8803536b1faf4bb2

          SHA1

          a0f6c07959cc45a9db73d470e85556210441ffed

          SHA256

          c1da4619fcd491be49ef82ec2626c54990554dd07d48496094e5269062d32e0a

          SHA512

          f4009f505ab3c1c9852c94c966f7e5943ee31d89d4f9d6cc7dc37e9e7e1c26330d353197c1d8b34b015d123c81ab4e7b93e74dee9203d46e264807ae31f350e3

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          3a0757d322b78eecc778c09245928128

          SHA1

          805af3f2d0656890e5550fa3b7a65db96be199db

          SHA256

          629cb5ee62ab19502213a6236a4a9a3ce850f53efe95986407704cd1401aa715

          SHA512

          2ffb6e8acdd3603bc977f4dd5463f2c36e09001c6a49afe308e306553b638bd423caa07bcc724e189c0bfff66d2e2290456689e6f449765140ee8c4c22ca2152

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          84ba30f8a58c42a103200d1f1b56baff

          SHA1

          f0e5b1cab348ce438cc85edf0b9a04967613cf97

          SHA256

          10cab6c23606463610b9977388c553b60cc7f0fd9bfbe7c82ad4de84beb4d43b

          SHA512

          0ee8964f2afadf9f170dfbdafb0785ba77f5792f76f7565281ff7832f4b4896a93febb04197876a0b47972c571f766f6e3a96835a7828fdacb22e5f4841ba4bc

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          315fe02a16f36b48b2dcba879c35d87a

          SHA1

          8a648020f887290f81d392311cfea094348456ef

          SHA256

          3abdaede55e8ab12de8b8d88255c0917f46e4f6d7bf44090f5b064c3f146decb

          SHA512

          9f0962abd8307c6bd42bfa4df7559d9bdfe99693d12be8401b63a599720542e6ad69d7c27bc12a70fca55f461caa69f840feacf924a0b4529d30b5c4fcf6d3fd

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          384KB

          MD5

          655a71d6e2d950c3cf12c3b773ddd865

          SHA1

          921a47bb2f52ef8a0d4172788ef8bfa70f806d47

          SHA256

          b8c8cd83fabd18c3162351789f64a21c63eaf2bec67d39b53cf88bb5ad965ccf

          SHA512

          adf8ec7a576ec2c8f462132b0293a0137a4936d5aa0cd5787df61401bb5844aec7a25502b4b7c61bbdf2cfef13f460d01aec17f9dad0695659d3069f10e933ea

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          94cf3dc2ffdedc8fbff6e083db03ae4a

          SHA1

          f83b50ad2dd71ae42755d9db3e97984df93f55b9

          SHA256

          977842b31c7e05be0145e09973773f01ee130a28f8e4e7d25253af9d2e832680

          SHA512

          83757f3fc2fb845486b7d14c617f7d99fbf23cc4d6168a5565bf365703316ee4beb2d1fe869887ad3077eeb3c075e114bba2f5304892226cf965962affc568b5

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          713d08f6f4237defefcc9fff91205b87

          SHA1

          7f262d094edd58745b847a9b15ecd8d010928368

          SHA256

          f4c622a2c7f4d2b945c7bdfc2b1139d51920d7002c6e97de01e2cc26efc2bbe7

          SHA512

          691f7541de129607332f1c028834037a69f31a0056b5697d76bf39d70172f1aa6333d1dd4bdd029f8d8f44656216bda50b96441f85252e15a3f339983c5b1a36

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          6aaa65b7dec7101785105fcf87ceaf60

          SHA1

          dab622d4d304dbefd1167b048db2b0358009ae65

          SHA256

          f87956ac1dfc5b650c95cbcb267d9933dc090b78dcc620df7d589850c059a881

          SHA512

          89ce2df553b61787e07d66535406f0397766d4477b1dd8e134b22f8c4560f6923b1cb7dc7a6aabdc0042aabc9979f15d7098216b579ac4d00fe8aa69e2da9839

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          2b9ffc7e6cd8b47925aea8d5bdcb6d00

          SHA1

          ed9bbedb791fad104e93a47ff059f0b1efbfadaa

          SHA256

          63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e

          SHA512

          78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          b01b753579fc53baeba94a956e468b08

          SHA1

          144275a1e412f913f94280d89debabe403f22314

          SHA256

          46cdfbff40dc17d3d0c37875aefec9f96697c90e39d30297a0f8f9865b99d762

          SHA512

          e134fc344ef4879c3c56a573cf8f9230e7dce7fe79de087cd15dabd6b6ebeff86ca1c84b5652aaf3bb51659faad59c3147ebf918462a7a92235d1511cc4905c3

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          bdc476e457c022d25de70d291dc1a6c5

          SHA1

          2ff602e7d9215dce93172e5b6bbb02ebfff331a9

          SHA256

          25dbe238b2a3a5d975a125b045d87a5f573a67e0dd87f006df208a522607b447

          SHA512

          95413739649704e4d94e14cd7cfc04229832d5e935d4eb9103f29e3986f8e049b4e26939259d05468abfd94285f8a0d8dc4b843dfb475e989fe0476823bafc33

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          167d7dcc33cf53baf8c21b37a465a00c

          SHA1

          92d2425cb0f7200373f7c98763b7b193fbbfadd8

          SHA256

          6a637425e7d00be0c6e4829a2d9676c5cff4df0d25676648739dc22ac0c7a673

          SHA512

          e9fc2c06dfa780e3a5a149fa0d85d8ecec98532e26c4be22f3c39e5b0a37e1b1707359775aeb3b33af42e7510e3d961e68fa2b720c12e7eacca5bbc2b76593a2

        • C:\Windows\tiwi.exe

          Filesize

          384KB

          MD5

          b28eb006babeecee38422ee4e4993e97

          SHA1

          c844cfb07ef81131a86d7ea7ce5717e01dcb04b3

          SHA256

          39b3e18dabfff92fa7a844d0577d73ef4ab027ec7b22261bd09b6a51fd03536a

          SHA512

          0455c420ae5a69a9861b9962f8ec9c550059e12d916dde320785db94fed93377607a02c0713c9891f25c34b7e3d224a5f3aa72841891cfcd5e8482a774ae1176

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          0fab43fddb78aeafa50d652b54eb1926

          SHA1

          159be98f5ae0b7f73c4364a5d9af0fbc9cafd2fd

          SHA256

          cf5c0c576bea78b2a4fc2ac5bff14c09ab00edb25715f771d1b67e586ddddf20

          SHA512

          cfd7ffe698e6c8d272db0fa686ff393758c1e64cb149113d3600868cad469cebc9ab9399580be165f92a4cbf5f38d17e77b16ee9db2d1afb6b55f09838fff834

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          66d0ff3c9bbdec5374850733233f9e02

          SHA1

          89e73de0376f3cbfe30f8f855b754b5deb09ddc1

          SHA256

          68eea2e12eed2ba2820a5d28b0507d31e90668d181bee40c40106b7f2ac3bf54

          SHA512

          455fc03dd19586cd50096347007d569893b13fac6bd8cf9c9f09a4ea7dc5f749c5d128abc7539a427a150ca797986871572703a1c81a9fdf69de98f03d2cd1e1

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          4824ba11432acca5da729d462747e953

          SHA1

          2fca37bff5037a0f4cd510e71858561fbd2d531c

          SHA256

          25ea34645ed727b4052319c093f5aeb7ce3262ef0cf649ab12e31ac1cfa0310c

          SHA512

          98a8ee5ceaea97d3311731ae772017026240cacba6a52735772ebf5e6fc34566d9a2ebb4cdee4a56160b8f887605395f5d95472db3f7f45d3b13cd9d6560a4dc

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          51d62c81078ec535f9445649c9f610b0

          SHA1

          d0c0a4f80c2e793224260235c8b34952f4640aac

          SHA256

          c4c3c3f6dabee86a70318b62010b05346cf330553866ed78d07751b962fb1db4

          SHA512

          f8a22670cbe05806f2471059ea8c3f51ce45011a83e3dd7d87f9727a4e1e34c1ee8f8f41f9c938928cbbe75eb349467640226fd943525ed2795660cafa7c5b08

        • memory/688-462-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/688-125-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1580-343-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

        • memory/1580-344-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

        • memory/1636-444-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1788-451-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-175-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-232-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-98-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-234-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-111-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-124-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-109-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-123-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-345-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/1788-176-0x00000000037A0000-0x0000000003D9F000-memory.dmp

          Filesize

          6.0MB

        • memory/2024-189-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2024-177-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2024-183-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2192-336-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2464-330-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2588-235-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2588-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2660-414-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2924-457-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2924-456-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2984-241-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/3024-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3024-233-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3044-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3044-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB