Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:39

General

  • Target

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe

  • Size

    64KB

  • MD5

    bb79e9d53044c165289a0386b625c770

  • SHA1

    3e73cb3a3e35eb2d1c888ed542c14d0395f56460

  • SHA256

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8

  • SHA512

    46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QCwJ8w2VS

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
    "C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2092
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1296
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2936
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1872
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2100
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2776
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:300
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1932
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:340
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3040
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2068
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1828
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2120
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2732
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2748
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3052
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:664
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1648
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2324
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2364
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1000
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2844
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1072
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2764
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:632
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2840
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2912
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1404
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2456
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:276
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2960
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b80708d93cf79ad0b26c8b20c6f2a937

    SHA1

    599d7f4267237ea8cc4ab6da7e77c4f1fb54ed70

    SHA256

    9a86aae8bfdcd2a91e9190ac566209e65a5327242e2c723cb52f1187a88b3321

    SHA512

    6b17f74ed6cdd36dbcf4d9c253ef0875a7bb9119df858d5edf2d15f565700e238267a973a050b3ce7f0588b5ab46025228444ab4e3afdc7453ea1392d2bbc222

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    64KB

    MD5

    f8da8c78fccb54b2656671c518f2a4fe

    SHA1

    7ee880fe707f002a6feda9d8e326ec2ca41a8ce3

    SHA256

    9b579a3b16e17f40dd97b7cd41df5563fc648aa09e5d085372d286cd063f3d81

    SHA512

    b9dad7c12a758676947c5c9c59951676410bc1a6d9464c6118a2a4c9c36489efbd01c050ec4331ad9724bd2bb5e72ee61b33dc5c3d2106942f6718e24c08fffb

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    64KB

    MD5

    572c70f6c2e961a38c1332db0d60f1ac

    SHA1

    1b64e41f85cba00903bccfd1cbc0b6510dae629a

    SHA256

    968f0a6286b3d3ab2264be8d4c3774a126d4142dfcd69198272567814a2bfd7d

    SHA512

    dc12c8106fe2834ff087473e26d2bd7638d04b2e3e0f342bd0374d7864448ec73c5a3956f3ce45d49b5cb85ddd773f04ba8d18e23340e4a18b2c47b59284f7d3

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    64KB

    MD5

    13a90ed33d2be8cbcafc9d2059bb336c

    SHA1

    7a2bd2f1391805f344a182e48c9d81bc607dea12

    SHA256

    0caf09ab46dca74bf3970157f29821c1f6e747e8146e7001b1ddb5c4a103bb44

    SHA512

    36fb8f5da48841eee68ca996e7bf2aa9b7b209c6945225302d79e4d5665bb250118bbc4915dc30ccdcd0fc6b06234ca9a35d3cf74321f843c8b6cf7a48b99913

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    64KB

    MD5

    558e916a958fd91f2401843374b47c71

    SHA1

    4837dac64fc5724aa1ac932cd0166f1785f7122f

    SHA256

    5abed5416dcaa45a544649be2e7d9fdde0d260513c7ed7acf8b1b19dcef68d7a

    SHA512

    c36dd5108ca26110a52b1b3e62003105269f124d787752bb9580fe1fdfe3b8d1845920c30987c0e4c80a00ed556f2e6fccb936be1428a4ad0e119024efd7f572

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b210083e425e53f9fbe683fc697d2955

    SHA1

    2467d66c8c6ee327bab8183e8d6cd40f7fc7848d

    SHA256

    78671a1a313f78abead4a4851b19d910fa9135c2c946171d0df06174fd6ae8e4

    SHA512

    b8e7f41537389af9ca872811814f8b7c8ae1ff649718c34dbfbdcf1bc5606b8388777e78af93ef84cfd2b7a19f56a994b308c062562b2e088a1f41d4f9d7532b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    1f0ef47bad5c0d148ba7f2b966d1b014

    SHA1

    cbfe24553b6d9acd9d12a30f1d5d5de0f1323503

    SHA256

    e294ac2172595f608cac754d844dd2335c14675afe824ade358e6585b41e09eb

    SHA512

    ed719dfbde1182fc9cabbde2162d7cd388f6e1fdda8a501e76bd8047311b250e56eb5f94f9dbbad5309ab3edc8d0f546fa3116c03d01fe5386ee306364498b1d

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    64KB

    MD5

    70f697e1594a66e125218642960f5704

    SHA1

    1d0788de62e1bf8d28af6b077c58bed195e64235

    SHA256

    7186b4f924f1ac731cbe7f3d3511befdec82216fcc7f963bfb51ae07ad2e14d5

    SHA512

    02aade5617455a43a4191fa746fa37ace72b77a6807c3a8d99f7bc0650a5f9b597e4b581bdaa7a8e73d73fe009da80e052138b14ed2767c1111d4881fb3ea2b5

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    64KB

    MD5

    a6cf915256d2b433c008ac5ae3778aa1

    SHA1

    2d50f9b28368142f15b003ce427e2b158be2c145

    SHA256

    e666c6650a634a1380b45806f4e920f9f76995c2829e0045887933402633618b

    SHA512

    1eb593096c3138baebf810dec0c58f54c86a94580a741d38f56f53bb367e96c0d77b07aaece979e82b997b2b26bb977410d60db7f61c4f4e0ff4129171b3590c

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    64KB

    MD5

    c6a6b42bb46e99256123369324a8df48

    SHA1

    fe55cb43120a71c00a4353c332e967ad4fc8ab82

    SHA256

    0e3efa742f6933da5926b2b86e53a15075e8f52b17cd4e3015c1e64eb5fe9db7

    SHA512

    8347c5c4a1aae1585954969d53c74398d7fdecff81390a36e09e65cf48b12a472071d541315dc346c4de3fcca10d542e358554c002147ff3f90a9ab74464c4a2

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    64KB

    MD5

    d6875c8d18cbc403f73a1d021546df59

    SHA1

    b4ae244271fd957d157f95c75aa58e71668f89e6

    SHA256

    1244b42152f7da2e2e33fb964285adea0ee49e5a86841a8bbdc055a80521cf39

    SHA512

    787d4a9deaf900cd513aa25ba503f4055b5017e7ec64de83fe8931853847346d26362036365656f6b8e81e434bac7a246a92d93e1c75047a6cb39317f1e58c8e

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    64KB

    MD5

    e4d601b2a52d3967da3c7df849972c2c

    SHA1

    68ad17b1f4cd7ee650321eb03a1d952cb7ca1e87

    SHA256

    b7b6edd09e370fc445b9fe251de106927c60431b333f6826d965f9aee703888a

    SHA512

    a1440bb569dc75d2cd1984b0efc47af20aa8b81aab84708b2c1f7f47005a448fc5dfeb1e275f55cbb3625187f109bc6620dde6d43aeeb0d579b9c3d8e1716b10

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    64KB

    MD5

    eb9ed0c82b7e1d650328a78c0df3d23c

    SHA1

    512f87a49fbb82e77a5439235bb142d67acfe16f

    SHA256

    550c79c9b9464dfe0cd09f67d6adf8a497b0dda65e638e15ae66753655d3c1f5

    SHA512

    62e3a9fa408a152aa9ca3335e490f57afe744040c890136454d74f630582a7c4ca0d11ca74ba22ab481007f9dd772417b514467b1b457a2cd4364f77f195c039

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    64KB

    MD5

    bb79e9d53044c165289a0386b625c770

    SHA1

    3e73cb3a3e35eb2d1c888ed542c14d0395f56460

    SHA256

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8

    SHA512

    46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    64KB

    MD5

    80dd739f1a3276430a8a60b5af738466

    SHA1

    3685f1bc7970efe8491f310501c8efcf9ead0616

    SHA256

    0e0052ecea8bd13c167a03b142cff4378e968793110ac65665cd14e5c4c1a5e2

    SHA512

    87455421d7c443746f8cae42ffbef0308287ae2e5f3086511a25c32ca9381261cc973e8e57163a1c856c9a18655d55fe871cdd673fe2f8cc9dea663db782d159

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    64KB

    MD5

    75a2b158d6b54df989c25315428102c0

    SHA1

    fc83e25eff360f8dc74d8878d8df86e699006f7f

    SHA256

    8e3488908e67a9fb068efdee362d33371eceec7b07837cd7715c7851627fe7e4

    SHA512

    f541546ec35804eaada557413039b3ed666ca96fcbf3b77779ff56b1fe492b28ec4e532fdf81c3691cd5fbd6a10a203cf4f29093107994cdf08df8fb207da869

  • C:\Windows\tiwi.exe

    Filesize

    64KB

    MD5

    85f9094c8af86068dd1ac661d6b1fd5b

    SHA1

    e7237e0d8e586c9e0a1cce45b64f7b76a7406614

    SHA256

    5d0cf3e9a01b72af3ea7c7a32dff083e82802ff2618150fc2abdec41a0eb95fa

    SHA512

    04f25281ecff2f22c6550f7adff49087fa159f42b60e7efa328c57c52b11f88ad6fa64a129cb0f71b190e1c241cd44616f6432f39114c54d5a13e239f11bae2f

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    64KB

    MD5

    94c521817170fc57277380ee2fb62a47

    SHA1

    43e348bd6fc8f2cc4e7355514dc19d6f7ce1aace

    SHA256

    53e48afb5e10a31c1730b642e40a19f1dec9bcca5ce5e3348197089088edc78e

    SHA512

    9a2042bbd546f31e38e0c48c67f2797cf2a75a20d2e93886c03a5fea20ae046e5503feb4c8cf481dc23148eb838ec638d44f599273470387d35cc81f1a492129

  • C:\tiwi.exe

    Filesize

    64KB

    MD5

    6259d73f85582607a1ff1be2b3915805

    SHA1

    8d75c2d2409015392ce180cc4a5485738a6dcbcd

    SHA256

    c5a43129aae51fd7474c20bdedda1b00a99f21f84e92ee17c1565ef2292f7c49

    SHA512

    47fc8900669d640c8bba0db653d3ea06448319ed21e80deee048924f67319a9a10a99285fae3b40bbc7ad14549d6df59410ac7bf163ddde1249262a94bad9005

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    64KB

    MD5

    7fbb65363a2035587c6e41bd01da4541

    SHA1

    64505244f20a936c3fc2787e66fa7175e1efa73f

    SHA256

    eba247c8207b2a391793ed6d522d82106c60922e8e9778dc383c756a647794fa

    SHA512

    878ba5ffd46e7afb6677cde64feb170621a7687217ab2aa5838e683073ca8581214ee5e08e0de1e0a425ea468f3309fe092fa7ce53261cfcc89a4b895c9ca7fb

  • memory/276-422-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/276-423-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/300-269-0x0000000003690000-0x0000000003C8F000-memory.dmp

    Filesize

    6.0MB

  • memory/300-446-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/300-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/664-438-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1296-329-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1296-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1932-280-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1932-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1932-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2068-399-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2092-328-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-110-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-164-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-436-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-99-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-263-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-264-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2092-98-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2324-447-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2324-448-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2764-374-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2844-217-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2844-166-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2844-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2936-216-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2936-275-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2936-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2960-424-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/3064-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3064-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB