Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 11:02

General

  • Target

    d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe

  • Size

    384KB

  • MD5

    c1eb213dadf03c15c500ee0e15cbf260

  • SHA1

    cb40a0d6d7ed1ef83c2145eb4340f46453feb240

  • SHA256

    d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a

  • SHA512

    74729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875

  • SSDEEP

    6144:V/OZplW/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/MW/MP/Mx/M7/Mx/M4/MpBE/h

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe
    "C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3576
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2628
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1208
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3644
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4888
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3588
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3268
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1308
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:628
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2204
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1880
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3356
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3448
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1620
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2304
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2392
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4860
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4988
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4608
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3652
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1400
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3052
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2508
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3356
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4960
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2992
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4104
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3460
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4892
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3196
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4184
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2192
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          ccd5296e10261b7392205771c241da1c

          SHA1

          ca842c785e70819ea7bed5a12c0b2aa49ed47654

          SHA256

          8011bc403d33dc1e83954d1bf5a08c9cffcdd3d57f12f9e413f42166e9213a30

          SHA512

          744b5e9adddd971418fb9fad1c6d2091a92ea928aa52ee1541ae8a29334fef847b71a27114d43b1dde3ffb23c6a3c26100cefdd15d41f10a4af5608c62cda1cb

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          32963f21f3405352d40889cf21ff6a8e

          SHA1

          1ec3a4498f3d9f25e00da3984a1233b86ebd7c14

          SHA256

          d9c9367b1530d12fc26d4c6ad19bfa5f24ebce6cfb582c79e6897a8feef52bed

          SHA512

          9fe0c9cb9d557177b879609d4e5114a590f908257cef9f7702a3a23a89fd882f8ed8e4bea45282255bf2dfe09de9f616f6dfca7cb747683ffe18f9e293a7cd68

        • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          f05d7a832af755eb1742329cc27bff55

          SHA1

          e2c28a30c21164f2f77f1168b34f9103c5ebee58

          SHA256

          e049d811cf7df89b9c7c012b54dc8377abc045994a4e22a195aba63302ee983e

          SHA512

          8dd4c944ea3104cef2dfe8cc87a4eb596a676f003dd518754b0c7d9f62d36ef2eed56594958f0adacff9a15c46e60394c9cf59775bf356c7cece83427882b106

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          384KB

          MD5

          eb8785421f4ba5764e11f0c7fe14c6e4

          SHA1

          13a6b54b6ef5b2e4f5284ce499b347d8ea8e2a67

          SHA256

          382c64ccaa93e6ba9f93245f9861e70ba4a283c35a7ffc44a3e508010d8b95b3

          SHA512

          71faad0928daad68b43a2b4d448f9676360131b03a1006dff41602b7e877315820ca8520d762171e3e6afa2468698411ce37ca4099a3b6e2f82ceb0b7871e6d4

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          384KB

          MD5

          6b93737a36c704b4df5c562c7805044f

          SHA1

          67f1296796e87cf43c562a81f056afe2c6480d27

          SHA256

          30a0a5da0e96dfdc652dfeb78bac01755349de4b5c77feb4c07f83e66ef8b0eb

          SHA512

          d5d20579b4e8ba5b13fdcd9262154c8df826271c51b254197ca7f8a4d291ab2da97878b3a7d0c74209e5341ee154dc5c41027f455eb4374f8b2dbf6b351598c1

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          423adb47f25fb498faebc461e7efebf5

          SHA1

          7c87afbed73c3765de6497d14f40ee839c1a2cc8

          SHA256

          517efe7788ade5ee009c3ec993b56c849ed6011f7e6615717bfbfe88ddd722f6

          SHA512

          7080fc6001e77e69c86c80417009a4764b7d06ca77cbd9302bbadf060220b916aec9c396cd2d29b84871e52c4539ea31b7dfe3b51c14da4e33a858c13b313aa0

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          ccae90775a924609934cc54e4582d618

          SHA1

          f4a739fa22ad42a1618a25dd946a92afe21c016b

          SHA256

          2c3d3969326a9934ffb3c9f819b01a9f83ac6e0d84262a3f06abd7a6fdab977b

          SHA512

          d7501bf008e30ec6184fa1c25a1700723f90e9e99c3a471f103071a0277cf8e8c0f7fa144f8247fe11918715ab975f4fc005f9753febdc856b222395f1b938e1

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          b009522488e598de469f2b1d6f32333b

          SHA1

          4a739df4f14bb695a9b8d46bb79255c7db1fb053

          SHA256

          fff61886182313046136df947c4a6189661ae757147ae4351a6f5592a6a4a0f2

          SHA512

          641e04c63dd9c6b6fea0e6f63b89a96904820127aea90bb2a3f5eb713b7ffd5e12770b399bd623265b6354030f9eba39c92d36007679d401702fbaa04e8e5d0b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          384KB

          MD5

          2148a0bd5ce803d5a6bcc6ea56e78181

          SHA1

          9ce31a04e1423ac277a5737f4385cd3d31fac332

          SHA256

          73d5177876fecf4f0a78a71beaa87fcc3d7e128d5b860468de4e27ab89d81345

          SHA512

          4298a9faab676028d360944fd6eca4e0807193fdf30563e72b1747725003f718e9c014b6214caa0300ae14844d0875b8f7570a6cc429d43a8a31e2de3c938f7a

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          d04f457f5190335362609052e009573f

          SHA1

          4e2fe06abdf535fe932ecaeccd3d73807819c56e

          SHA256

          1334d7a6366a705ab8b83eee81e81836bc2b1f6d2861c66484a1a24fd97708fd

          SHA512

          952a4b202e11b28c2b18673a41ae1190c9fee7ef605f4170a54c290d21e45102702c2ef730d453dd02febeeb84a51c7a2fa7f616850e281fa55e49ff923ce29d

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          384KB

          MD5

          b40be0cb93cff843798637551674a7e7

          SHA1

          4dbdeac3955e932c09f8c82116cf3c5573cb1110

          SHA256

          cb91d31af19d6bd4064cb287bece5bfc185cc7f7d6f106d3ec6a077af1dc15be

          SHA512

          076df34dc3e19f5119edcf0da761d905daa4361c79c28ad0167546af500fa033a4ef513a85b4e995df1d722034a7c2c7b932231befaf25bc6142c5e113c50b6a

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          384KB

          MD5

          4662b40bd062081af662730532416c93

          SHA1

          0140cf0ac34b3f8da3b23fd780406a88b48556e5

          SHA256

          ccfcfb5b78c35274ce019bf1aa9294a96dbf6984594da4673af2131e4faa4d50

          SHA512

          fe1a99c497f846ca2d0cd59a9b25063729bc403387838a87195caefca75d7c0aa5368e1841283f3198e47347196893774065f96e35d52e71dddff91891d0d76e

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          77f422d64c1b86019baeabeb157c70c4

          SHA1

          ab56cb6d02dcb6510bf1c8bd26b309df1c67a8a7

          SHA256

          299e55ed5040829cbd63401c0faea6a2e9d6c946ea488518d473d185e4407de4

          SHA512

          c68271fa6267ea2a9ae2b0b22cf166c2f0c3add60525ebeb99adbcde371a222ecb0aa81cbeb177013ba42f72714e8bcc6998bbeff1c3513342de1762a6640e4e

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          384KB

          MD5

          c1eb213dadf03c15c500ee0e15cbf260

          SHA1

          cb40a0d6d7ed1ef83c2145eb4340f46453feb240

          SHA256

          d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a

          SHA512

          74729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          384KB

          MD5

          b434f52f1150db0f489304c871f6a14a

          SHA1

          eb717c421ac40f1974cee575a6b95f6bc9a77c8b

          SHA256

          39e1a61462e0b8f0c1183f5c3d88f8c407b1e76c41a48f28de06aa0f6d28926a

          SHA512

          5d0ea8274219481b5e16a341088fb93091558a34e3d693d0e4be7fd1f796f622252eb260c31736c792784f120fe2ee92865675d4ffa59c49d0719d99a83d8a7d

        • C:\Windows\tiwi.exe

          Filesize

          384KB

          MD5

          ab2f58d8134dabe854ee456e9b5e9bcf

          SHA1

          19cbc81ae8f113ad2c0d3ab281bcc2a756110d85

          SHA256

          0b1edf2ab733185625a551252ebc517355341d48dafd35df5c78d881bfc5dd87

          SHA512

          3a2def1bbfb21d5ad96b556a89ccb42f33e3dd5c1f2ea49063dd2f38642813edf30c3f5711b7c270b1b81e8d65785ee54c69f025bc19bfb181b72b307f10b4c7

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          384KB

          MD5

          7e3c12166e2b6039911fbebf59dbc458

          SHA1

          6549f136f819646cbb81cebd487b3e7c1933db09

          SHA256

          a4fc8472d812910ee0fef5f703188e6859abb34a8434d867ea6a6c648201bda6

          SHA512

          e29f0d9b9a5b7dd4a0e3faf32082af7d008d5d327cd06d8fbc884631a1edfc1b096b0e15140e163fe8442dc13e9392313f2262fb3a877167db6cb730bfe061b5

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • memory/628-343-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/628-338-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/636-335-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/832-200-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1208-196-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1208-221-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1308-293-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1308-276-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2628-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2628-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3268-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3268-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3356-152-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3448-368-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3448-203-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3576-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3576-392-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3576-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3588-272-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3588-101-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3644-222-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3644-239-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4316-240-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4316-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4608-243-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4608-409-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4888-344-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4888-336-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4960-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4960-418-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB