Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 11:02

General

  • Target

    d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe

  • Size

    384KB

  • MD5

    c1eb213dadf03c15c500ee0e15cbf260

  • SHA1

    cb40a0d6d7ed1ef83c2145eb4340f46453feb240

  • SHA256

    d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a

  • SHA512

    74729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875

  • SSDEEP

    6144:V/OZplW/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/MW/MP/Mx/M7/Mx/M4/MpBE/h

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe
    "C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2288
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2780
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:612
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2940
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2876
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:584
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1928
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1300
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2392
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2824
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1384
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1188
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1416
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2340
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2088
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2320
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2800
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1044
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:920
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1976
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1852
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1704
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1644
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1608
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2444
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2816
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2044
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:532
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:296
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1224
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1780
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2036

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          0d59f81e55f68209448c2bbed2386caf

          SHA1

          2c6c78b6d4b0ae8f7e1bacc75e6a6f2f3694847d

          SHA256

          efb0b5c0aa1f41cbf9013b376479a0bb7feda6619ea9dc5c7368501869c8d46b

          SHA512

          fbcfeb112f2fd9f90bee6de1d64ac587a7dc02984eb6d46853529b8d5dbb3c5993075a6b7b478678baa8e121a1e53e1ec1fb4142575e0d55377f90c7338363a5

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          8636ace0aba017bd00099020c13f44e3

          SHA1

          dcbf9ebedd3d3f203966f22ce75f8a510ce1744a

          SHA256

          3ffaebf35cea76fa7fb1bef61bfd37de5fb4810b56a01d2fcd98d73f51fd4c66

          SHA512

          59a93e24cc93000781e7e6042d75dbaaae45f5104b5d95efca5ef7eb38173328d69d68342c5fd6ae22f2e3e0f2a96c2022a7b7824b2c64aba50ba884fc08f734

        • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          e88448feb22aa0b7413f3cfdb76ef314

          SHA1

          48395da6db21bd4c11af91d641cf7ab7711e3663

          SHA256

          7cef895e652d063133bc21037a0d970c3233051da1394083377e3dd27045e3b8

          SHA512

          3f3dd964da6b210f7124a3240903d4720d30f075fbbe17086affcb3f8c5b7ec8c26e8338a7658f0cc444cd0acd0226f8aa6f91abfa3209fd5d50c0aa9cd43ff3

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          7b467e884bc5b9296ee338c565998765

          SHA1

          fbdadf928d73e104dda4376906279f6b7495e20f

          SHA256

          342f1a9087146d3b4626c37745bbe1ec90ffff1fcbab8a90201cd33ee2bced94

          SHA512

          4a60b06381cec9c3995d943f0e05bede5efb1b091fc8fbde3d21b9a4e55ba5b5390812b7df4ea402b08175d238f07edf63bd731158c2d36ff5dfe77e874de49b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          58530deeb97bbf83723e3f1f5ebc3d07

          SHA1

          86427e34f349121c9314e06d4bf91b7840397fe8

          SHA256

          d0cfda7afbcc703b9d8b8dc6f03894f0e06edc1d910f97a345df8329ddb9b4a8

          SHA512

          04bdd3a86f9d267c20da23410038b04a27442a4dc569dfe767d1786419782d84c47412064aeaef64cf83c6c8243af6163bfde30441fdcb6982af5f76091fc879

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          74821ba11d35cd9dff9f2b1590ba4a7e

          SHA1

          267a1d259b51f58ee00949de6252251b986bd666

          SHA256

          72c05006fd9955b4a01fec68daad0749de0691553f20e2962b5a35330ae43427

          SHA512

          3985161a9283507189665c516e7436a255856c2111a6cb84f027ce21e06ec5e77e16a722fe03bd779e84b55042ed42a1faef523066c4477c641b797d7e4c3707

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          7cc81917eb71529c6c5b109fdc287049

          SHA1

          5ed616faf8ad6e748fba1c83e021af4037c6c900

          SHA256

          1c3faaa7fa9c1588c4f8fbde25ad8e0313f247e9a7220b04f71a64a68d6cd4c8

          SHA512

          e3f2be5f150980660e7c5bd3ca58c97d13c846b926f9e9c28d76645b532150fafbcf690587d0df43993f3459b4a2630dc6275e798f80fd332648117f858770b8

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          24ff196bebdefdf533db5188aaad478c

          SHA1

          88c6bdc501902d46bac8e2b48a197bcf46e9c021

          SHA256

          22781ec92b94b1bb09a54f02b29ae79cf538904a1e08b24920a17ae07294a64d

          SHA512

          56279a72c6ccbeb134aad7f496b9b2f050847b1525291e98306a22e07ff8304b32647de540612724d3775a08c610d942a1b75940e0f0956eee254893b19e947b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          870b96eed62f7d5abbba27da18f5e311

          SHA1

          31f3e769f408b67e695ac36b561b0f30421d52a6

          SHA256

          a81cff2cd43e0bca1b48b59dfe14ec7dea62d1a6bb5f3a2082ee443129628ea5

          SHA512

          33e6c2570300392c8465e475c24876557fbcc919baa05c2f49ff08ec45d735618c5cf97bab50dd4b04c6cad919870166357b42362256053424facaaf91036f06

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          1163a1ef00401b07c0327c95420fa040

          SHA1

          0b17ea8f7cf9778bb85eccda5716bccfaacaced2

          SHA256

          26ab2458efac9e07f20e7279fe227ed6d1062efd4ebb70d54315b2c6d9cfb06b

          SHA512

          90f47412c2bfd5bd31e91e1fa062f04c8af0d56104da135f2149ce2d89c9b87ba5a54c8b21afca09b6170d915cac63eeeaa8a43dee1e701812af82f6d11ff6e6

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          50053b60cebfaf57db2b8f5d8553ad0d

          SHA1

          1597ab966376e93c51cc28d6b8ccc6e1629f9e94

          SHA256

          0e22c064a41a8d9fe4a919115b3dc58802bb7817b4a06662e32cb7b158c347b5

          SHA512

          1694b14038dbb15685110fa7577d20d8c3a749f1efbd0c5e5a5313c2d5f4d5e583775ecca79e7220923f07ca3ada4134bbcffd773c138b501955005bcd50824b

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          02a0b5f6641a88c7f853f2cf8bbdc9f6

          SHA1

          d1ae79d9ac7d7d991214c5eb29120bc65b0fdcb9

          SHA256

          50ab789cbb6e0c66307dd8d5af85e8026499c5e5732f429f3107c304b4b339c4

          SHA512

          315875f11eb4d6d9026225b53a15a3b69eeec2f084492720e30e7b5b53ab28dd08a68b7437e010b212898482502b940ccbd9740c19fb8f04ec3752ba44efc4ed

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          384KB

          MD5

          6f030e7c20d32e9867fc86b08687170c

          SHA1

          0a4d392a392d126634d8eec814c51c185888e818

          SHA256

          503758ca5942e060fb9db2b0edbcf9acd7f35b424c9e7fdab68a6bc13adb8c88

          SHA512

          9ca20cac482af22508d0653846c74efe504a2eb7fd957b1b1e3289fb0685853dcfe1a7d5c3be8e113c2733bda07225ee92e99792738cd8422b393036a22258c4

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          f666c72355d2852181edf7c4331e6599

          SHA1

          3f6f11390d134d1be0bb1d09fc8b0a83f3a6624b

          SHA256

          0fc340955dedb8f08508d8771560c15e207bd49a9a46ea0a4e95c93a2fc91adc

          SHA512

          6cf8d88faccbaeb84803394aaa19b7567bfb62ef9dca4c6229b1d386d37fab6b8dc4dc0cc6cedc9e9d43d4ede4177eecbbead7fc07dd3c0ad2b42b7b18475f0a

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          49ad4f5f20f860f234835f6906c8bf44

          SHA1

          461bcd08b10512a120c8813ea509b3964f12384b

          SHA256

          0dc86df118ec71825102a48798e78087dd9d1d4eb50a65dc345285d22a8106c2

          SHA512

          1b7784f34af7bfcf52dc153f8834660e5259279eb7692844d5cc9dbac5ea6e7ac68f1822d773f7694fcaf4ddf357bdcd3006a7f0c565947c5eb8b0a557c0b544

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          091fefeaa3c6fbecfebf4aa942595464

          SHA1

          509e53182a39b7793e54c5a0402ac897e8bee7e0

          SHA256

          5a47d405c78158256ec432582a247028a6854d722a12a616e6f3afef83809f6e

          SHA512

          41e112abddd506b962fd4d797895fb052ed717aa9021e5e5c5df6a5fe0aa3b2247f413dad439e950f4c3cc10bd2fa07909f6dc4f76e8ee33208ff74969311ecf

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          c1eb213dadf03c15c500ee0e15cbf260

          SHA1

          cb40a0d6d7ed1ef83c2145eb4340f46453feb240

          SHA256

          d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a

          SHA512

          74729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          7576ffcc0e424fb72372c0e8c0e3ed2e

          SHA1

          91739373235e9e226baa11b284a82c9a61ca3f14

          SHA256

          68b2aa2f1b259f6e725fff17dabd8eae8d75da11fe407b934305bec2b47ab2b5

          SHA512

          1caa41ba628b444f0ff1795870bcdbeff6af5f36c799515069ce14d347cc2e4ce9955be8714f3f877e4a58680b2bc1564e465fc8ccb8b75b56494eb7c15e88bf

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          f548e5a3a1affe48053a0a2cbc46ef71

          SHA1

          0113e2a14349958a850e4d18987148de4a36c587

          SHA256

          e816de577c9a4e5830f26343ef8c8c81b1e313a5866791014b7f300beda24c58

          SHA512

          12219328e27237bb76d90175fbdc384d67c339bd0ba9ebb3fea732bf0e3dd2bc7b5b6da80d47929be105703708040a04f8b497be46fd3d862b8a20476998a287

        • C:\Windows\tiwi.exe

          Filesize

          384KB

          MD5

          6e1522b6b7c51ebdc0806a92dee44c26

          SHA1

          e8bf3d1b3e2b2a69219b02865ce757e6327edd72

          SHA256

          7a968c126cd677eb57211140a069bc1190893a6be4e5fa7e64aa4c9443cfc9d3

          SHA512

          416486ca1db7c5a8869361032707f76384318cb4e5765bbb4e01abcd50d56cf7fe2d9aa438048c09980c9e2088b7af5ed6972fde96ae5407e1172959152df2e6

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          182367e34a3d5140b87985b49a1c453f

          SHA1

          0fe4546525e555a6d0fc43362c8ec3f144fe0ef8

          SHA256

          78638a0001b4b288e8601ec59add5b85a997831a100454d95c919747817c64dc

          SHA512

          365fc2f64cde416259a7af0acdcb73eb5a0d7b02fa6367671c92dc6c3a5a416369cf9a56d1e862f324139c2a528b833fc7a69a8975cbf0b799024b450bca758f

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          2b20767cb126756e273cc3b672c24ce2

          SHA1

          8fa6ed3f2a250b86a33b60e16b49ddefde27648c

          SHA256

          aa49c4314e87c42864e23af944c5966fa8eb01a1a4dfac41a336584a7f37338f

          SHA512

          7501cd204f7e22aa169f4e91ac48435fa6d9400c6284dcd1b9d3552f165279aeaa8a1dcaa3e7165675a7e532479af983b043bf323fe26df55664b4b1c1de7822

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          67283f7489d99b0534c0ce0cbddc1b5b

          SHA1

          1b60efd198035a6f8fbbb13d3bd7abdc9c44860d

          SHA256

          4388f80a3b3a6419ad154cb93344f1d5330fb2e039cb633e9d1f99a77eda1e8b

          SHA512

          3eb5973a7967d026037fac930148d12bb1788850d299cfc86a15cd053e9d2f00eb305bd4c521c66122dd87498220d1efd4e8ede054fe6f201ac3d1102f8a0daf

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • memory/584-424-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/612-351-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1044-192-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1044-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1188-470-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1188-125-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1300-302-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1416-332-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1416-329-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/1416-330-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/1852-446-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1928-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1928-463-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2004-189-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2004-183-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2004-177-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2044-451-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2088-350-0x0000000000240000-0x0000000000250000-memory.dmp

          Filesize

          64KB

        • memory/2088-349-0x0000000000240000-0x0000000000250000-memory.dmp

          Filesize

          64KB

        • memory/2288-191-0x00000000037F0000-0x0000000003DEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-110-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-194-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-98-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-190-0x00000000037F0000-0x0000000003DEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-452-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-124-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-175-0x00000000037F0000-0x0000000003DEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-176-0x00000000037F0000-0x0000000003DEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-123-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2288-109-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2780-338-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2780-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2824-394-0x00000000003A0000-0x00000000003B0000-memory.dmp

          Filesize

          64KB

        • memory/2876-416-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB