Analysis

  • max time kernel
    119s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 06:05

General

  • Target

    63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe

  • Size

    384KB

  • MD5

    2b9ffc7e6cd8b47925aea8d5bdcb6d00

  • SHA1

    ed9bbedb791fad104e93a47ff059f0b1efbfadaa

  • SHA256

    63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e

  • SHA512

    78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

  • SSDEEP

    6144:V/OZplx/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/Mx/MP/Mx/M7/Mx/M4/MpBE/h

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 10 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
    "C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1640
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4136
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4392
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1120
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3884
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2948
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4932
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1084
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4668
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3024
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4120
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2988
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:628
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4860
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3428
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4456
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3472
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1504
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3216
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1608
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1428
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1872
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3448
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4084
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3620
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4588
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1376
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2996
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3544
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2632
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4192
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          421bc619ac6e9207fe5524f1fa052565

          SHA1

          f110d767841bf94da3025c0f97306b2443224959

          SHA256

          19a758bfac6e483027d0bd335fa2ce20c916ad58ecf973aaac8eb734a54e1c5e

          SHA512

          8049cb49ae46755e09d4245c2bd049b0a2b2e881bbfc95d954a081166ab957770af253d2c2f9d7fea56a22b799e07e5769ad8ae9220750e6b7812ae9e90ba1a5

        • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          3d3cdffb95b010f5a8981737af494a24

          SHA1

          741e51a27ee7ddd1bd0b245fc810b84946b6aca9

          SHA256

          c889e7eef1fa092f022858e5df6e7df379d625e2d12c212700f9bbcb06ef1d1e

          SHA512

          173b8df07c224265813338e749537e0b4e0c9b64b3f42fc2407f607ba503585706313e38175e8a46fb5330120ac2fea9b20d352effc3917b4b3a7b39cd68ec0c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          602a549f9fc3b558fb69ad942b8bd9e8

          SHA1

          b4618c87c153c27883dac4432570a14e99394306

          SHA256

          484562d3af34180f4c6232427c6e8354180f939db8f66fcef750f90151166ce3

          SHA512

          a9cb5f47cf3cb7ede2a2bed26ba744295ee942808602fef0f83e97076f3c46f3d16bb4153ffe489585c79394844b7b1d2ad672055ef59c0e4c746a85b09a8fd5

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          0b3a8a8a3adb616d8bda14f3e533e930

          SHA1

          f04e991dc61ebd147741f3e163c672a91306d5b3

          SHA256

          63e62128185ddf6505de15f495dc5fc06c9e8925e774119a635c2a2fc8420991

          SHA512

          78558fbe572be214fb485f6ec679dc5ad98d415bb548443ca48b1e02147f03c6ca0fb4b8b8c58e81aac957204ca8010a4c75df4e0812a292f21f8157d5671b40

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          1ec5bfdfb985aaa32bc4caec8f7cae10

          SHA1

          2731019d607dcfef7f16be3fa8338ea8a0c30c5b

          SHA256

          2351413d0cc90459067369513645442f7c2e13a3fdc96d2e9d1bea2a1295b6d6

          SHA512

          2e8396c3c82db45819a5b78d4085a7348626bbdb539b6b2d917c0a8a02ef8034e752ee81badfcd801c14983ac48fcf27e4de2a016c16b524f5c32ca68b9f2a38

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          619a5a971a7ad0bd94276601511d258a

          SHA1

          ee690588331efc239bd5d35508028a93275caa26

          SHA256

          475234daa63cfd84b58e498e45a7442ad55e86f180651b8edca886ce64210414

          SHA512

          7715152db3d3dc54af26f63f00db446cc836205bb1f7e3929606803799a55033a11c2b9fbcfa41ece7dcf20286e04889e06a4354d17af9f3f25c0560ea47f1b8

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          1da120080779fa0df385d84ca318db46

          SHA1

          a59b10bec70920a75f5c7d8b6c3a1da32501d12b

          SHA256

          015949235de02ee292349765e8c0050fd4d141929ca5a840b2cdc6b0f6bf3ae0

          SHA512

          b09db4e7a2571d7c6dcae8dfe8cb394a4058053b6204856b6ecfb8949edb9ffb6c2ed0884c4815e1e6b1c2873d2b7984395483f229a28227ee06e3de20429650

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          ec63c79d3dda43ed5543c3e6ae103859

          SHA1

          51301983008ad0ffb38c268f1b17f50be4f92ff1

          SHA256

          776907c4b9deed6889e77ed27523793d7801e404fe770cc975be4b788a6e8b18

          SHA512

          7c59aeb11639e9c92598cb404608eb8e490312e05be4b3c8384977a8f73468ee39e24d4f07443ec6215b53e61172910c3a4e41a2e58bf27783a4cc863242f3ee

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          0904d1363c491b93425fb87a858752eb

          SHA1

          8564d2fb05c4d48066ce841d04ea98472699fbd8

          SHA256

          a50a6286eaed4e40ddf04c46840d1279bffa1a57f78296b17a41b59236139591

          SHA512

          c51565f9490739088ca99a2a245e8970f0b5d9e25bebe2ff6952461f6e2946bf7c1e66288db79e9ee1e5e4afffcb159aba3d5ed608e5926c28fa7ef743b2362d

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          ade47aab1aab913beef18f855fe68e1e

          SHA1

          304096a453747cbba928c57b8153e30097a5b054

          SHA256

          acd7841f03e70dac144b6bee4761db0e9aec96b481b5f43b03ac8ff19dbf964a

          SHA512

          0de2f582ef6a407403ad0d7ec003a48c9fa3bbae0d86a99e917a6e56fe0e8d8e80943856145e3443049dddfdcbec81a9cd99d4db1ad3778de76e4667b7f1ad97

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          4b00f140e6b862252b705e870a4f1590

          SHA1

          ae2118eee71a193173b6f18f0b003306cb732738

          SHA256

          9d7ff3c255a7492024d9514532fcd6f0e0dab30d86a10887aecee93073896453

          SHA512

          ccd970109eac2c2800d53a01a70d94cd4c2a46b7cdb203329cc2cac633b2d03ffe05234ec97e6f2baec270b4606bae202277ace0bf6e3a2062e2e90bde42a3c2

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          384KB

          MD5

          d62fff08d20cda68686870292fb1c056

          SHA1

          39ebff0416ad16197eec8b2569e521e098a98044

          SHA256

          0e130155bc2b4be630e0facdcb474c8187f998e41b2cde39bfe8b9ae4f4dd46a

          SHA512

          acc179070ea571f5f1e3a807e2acc9a3d537271c92612e21491302830b5138917a8d38c7de07b1e98c7a5fe73937b9c773c3ee76b84d18e2a3bbe19cafc02b8d

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          5b51117d91ae3cce562a4c094aad1631

          SHA1

          4bb779e5f816a203be0f38f100f34617e24b3ff4

          SHA256

          56cab5c96d3630d8861456b8264b00f2282fcc7c1f984936cc13259f72f76b30

          SHA512

          8e372a96456a140b0fc4451f0110aed7c82b8f59349da666e20b5722c21a6e7dc39cf02f48e3187e531a8b1dfca9090a601d4b209343c869c7812c381620c0e7

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          c2f2babf3d81f017374a5038b1d6ca25

          SHA1

          43e08f893c1b662ef297a4fc19186f6b751f88ed

          SHA256

          39c7bb0ee6d609af5b73edc66ca4b3f32a4a2ff177f3f7d97a4685e9635024ee

          SHA512

          494de8a777d987b4e78880ede49bc94097807c548e2526b2f060809e45a97c7905810e95a4eae5d4c0cc613b715caca7c40089e64ac909565cbed17eb8d777b2

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          2b9ffc7e6cd8b47925aea8d5bdcb6d00

          SHA1

          ed9bbedb791fad104e93a47ff059f0b1efbfadaa

          SHA256

          63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e

          SHA512

          78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          c82a6ce9a04a4cd9801a3093e7580bf9

          SHA1

          4197adea48506def0f3e5007ba8e3f997c17ca79

          SHA256

          df2fd5dc29e583d9a971f678e6ce3d350f58d7f03f57e53dbbc1985b353564f7

          SHA512

          039033b56da898d2ef2ac732d3e32ce1ee29ac2866cbafe5f324f90bb4e6d63635c7c36669bca9f417ff3a6859ef7566b56eb7f12d417e9dacfba7749868d6f5

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          fe831b0adcfe3d627a232b3a57f78feb

          SHA1

          f4722774d52670e50dc12a742ee9b97bbc44f9c5

          SHA256

          95deb5b21a7db2dadaacf413c93789aceb03f5643dc123b69935d0928c279ec5

          SHA512

          04cd8b62c050047d154bdda6b0bceb1ee5fc77260493b2c998b570792d38755dad67f740d9559251e51980d1e82ce460e531e1b7e4006546aa9dd6b579559729

        • C:\Windows\tiwi.exe

          Filesize

          384KB

          MD5

          27da3c58fb2f240dfdd0c2a9026da910

          SHA1

          51fb9612f1b4b8775ff59c2888044f12a1f88a09

          SHA256

          62c8081fceb492844689d30bf0fc7d4ef9c59c7bb2f31ae0d74021109d0e1109

          SHA512

          7aa7ae837d1fc34779addceaca87347db0bae8d30cd52112ed2b038bd469adc066b41117ab6264012552c04aa9b22dd1816e73009f4fb065b7887e10efe814d4

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          1f03c2dcc8c0decf09c0eb10cfb615c8

          SHA1

          c60297d1c419a3f25081abab7ff3a17d8007e221

          SHA256

          f583f0b90d3f321f35b203bf07622e75040ec5f28f6b64168c377a8ba9e1f130

          SHA512

          bc5b719853d978e962307f8c6bef40d8262028582e31fa6d7784a2505e1daf78f7889c8c7f162589d8b83e1d8a119d6f9f1db00b89aa8eb78dcb4c890b1442b4

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • memory/1084-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1084-243-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1120-248-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1120-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1504-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1504-244-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1640-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1640-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1640-388-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1672-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1672-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3024-438-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3024-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3216-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3216-437-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3472-245-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3472-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3884-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3884-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4084-294-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4084-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4136-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4136-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4392-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4392-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4456-314-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4456-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4668-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4668-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4932-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4932-276-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/5068-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/5068-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB