Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:39

General

  • Target

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe

  • Size

    64KB

  • MD5

    bb79e9d53044c165289a0386b625c770

  • SHA1

    3e73cb3a3e35eb2d1c888ed542c14d0395f56460

  • SHA256

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8

  • SHA512

    46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QCwJ8w2VS

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
    "C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4972
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5088
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2832
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4528
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4412
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2624
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2340
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4440
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2980
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4448
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1936
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3112
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4856
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4296
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2236
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4408
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3492
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4432
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4884
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2572
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3188
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4456
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:384
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1044
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2796
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3648
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1368
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1240
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4324
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1700
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2424
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:928
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

    Filesize

    64KB

    MD5

    eb41a76397e1ba037c353dee4ed9b92c

    SHA1

    f91cbba7d1b1eb5490c12394a03f9679f3403653

    SHA256

    000617d924a575dfc6df5e3d54d1d3a8c8047eb97d636b7b8ccbc69ee343ccc8

    SHA512

    6735dc880ac2d66386d712a51d5ed3ec1494525adfae4959fb508138e1fbfd4a3678af9377ab510917e1bd8831ed084bcb8cc1eef2663bc453d3d502d254a805

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    6de5d3b1209305248207e8da2c855516

    SHA1

    8082db5d79b8a8ecc18187de963f64e609c2fb35

    SHA256

    968ba9fca9b0dab46fd485d7e546dac0304e4dac2d14f5e9dd68a2d49733d133

    SHA512

    e4cb22ddb3123423eeaf87e3f5db1786a6d8dc3c24d9ab46dec40527bb6a3e9ee0e834bfa429c2879dd040fd5ad8ad1f9b3fc6d5e3d06e9c507b4c2fe12863ce

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    64KB

    MD5

    8f339a5b7c35ccc44c99a7ac49863270

    SHA1

    37bc6d2bc13323026bffb1d341c212e31393fe16

    SHA256

    a3bfe8f7dc635bb8d155956d068621e5bc71dc3a082b344b824adcc80aacb775

    SHA512

    ee664af606942e51b3be1285a9706398fabf94021585c078ab8e8cf73aa78d2e017981c68376348ab752cbdba215015d7b2475abdeb929fd2e803f773d68782b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    64KB

    MD5

    26ebc519257447b3509c8f692316c193

    SHA1

    7aa3e0265d83c24cd9c969baf0f9b404eb3d4239

    SHA256

    0d4758d2de694d7ad8bac2a01c841219cab2aeb21f0b05ce3f582b07bc8ca66e

    SHA512

    2d7dae335d052c7e2ec34fbb2a0f538719be7102aa4b71007e5c266defe402924a13475e105c81fb3061047ff09ed534a4ab92999e53725f665544f0ddba6a70

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    64KB

    MD5

    5a7d5e406f047ac4331abbe1ad36a521

    SHA1

    24378a5a93e662ccf3e29f697707e46bd290334a

    SHA256

    b5181d5504b190c5b2a9f94e1fc256af8eb9cb90f0740c6182d4ea9f32a3974e

    SHA512

    c0ccf487dfdf0cdb4e1c2832e772dc77f3d8cbe2bea47d0078a7a9ea75152ef13c004fc6b1dd93eb8ae2803df3593a36b2719aea7adbbcca271abb315c5c425b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    64KB

    MD5

    b2de02fa9cba9b5741b984dea1e7cba6

    SHA1

    b5d7c80eda97943971a18d112b7fc5234756afa8

    SHA256

    6d5a7cca64331b32381f214df8f9329d856867bee45f0605c53cc1b59bb10a97

    SHA512

    77a6a06251c7e86dab4414159fb7728f792d0d3128cfd28f5c07de69247c87f30f4b2df635e82b1025175dbe6eb106e8405811d1d8c12304804d36e36e792cd7

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    64KB

    MD5

    582c2b55157c63681f41a4853317467f

    SHA1

    c989c8bca8396c111b29ab71b6a59bf219f50af8

    SHA256

    7ad4a59f865b29b5c98d64e297aabae115c1c4525aad2ee10407e668f5582a4f

    SHA512

    d23818f9b70960ce3b62cbb6fb27af036154496b06b30bbd78514fe93d333c4a7d3f1e170516cb3f3ee9f93cbc28521499e81eecc23e562a0b391d5a1c425e9c

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    3ea1f053e96a607b202f294356f7baf2

    SHA1

    627004ab3dff68152de6ae424b2ef5a83a5deb4e

    SHA256

    8db4577d980804976e6ebc27d27ca92c7438d9021f24313a9d80613f31fa7c53

    SHA512

    059b832e756d20485385ffcda6dd13476182fb6ae976f3da97a6bf05ce3b4f6537964d1a09b28bbb2e277d94012ae3ceb1546d8c5efbe8578078f33ce6e47e09

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    1228d3e42be5c7c20ab7039f72f8c533

    SHA1

    c3ff01d2f7e5f600b47ee00f33c3581958ea70f0

    SHA256

    2334f0ee5cce275112ff7cb888e8194aad5eec436a3b565afcbc6d476186c1cb

    SHA512

    aec5a64ac8c70c4ded486cc49aff436fb78c6f8b16f72fe5293354e634b50b523ea9f534263970e06b4e9edd3334c3b67938ade5ae735e8fa19af3dcbdab478a

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    64KB

    MD5

    22d8ed47630f57e9e5baef979f3e98fd

    SHA1

    dccafc6d26ec250d8932ca3fbf96c0f5fdab4c18

    SHA256

    d2d1fdd261f2b1647ffa155b1e16dc0c9941900e16d87c110cc20d176ada99ee

    SHA512

    6e0269cbf08b651b5994efecff0f17067b8a1022352943ade5fd1bb5a572c69c0cb2ee81b4f409a63813a6615dd1a26acac39c2f840c956079ac0ac8963034e3

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    64KB

    MD5

    c73f8ffd13aa0963a973ee00d137d554

    SHA1

    6de05b61e0447baee3223a1964318b14300774a0

    SHA256

    20f1fcf86d0ed782e98c5865ce9c86bb989f88b600c08b3401ab03f433f63d56

    SHA512

    9e10564eb2111e62022ac8709b2c5bec909ee1b782f54a46404997274ca98d0b9975447b50252f9d11d429f11ba8583df228ebba2aeb50c029f0ed4c0b51f0b2

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    64KB

    MD5

    70947bac82003b8989ffddc1b74806cd

    SHA1

    69f37866981381d2c822e49b067d197c63da907f

    SHA256

    26e99d9b6483214db00fafb693fdec603cdce8909d7a6b3d2ede202b497f70a7

    SHA512

    83c635444dd97cadb2a80bd62506e1dabb1b047bf2d850bca81126d827fcefc2ba5f5346770407b7dbe056404d9155cd89096eca1103538a530832a3c09d0aed

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    64KB

    MD5

    74583f1dca1c153a74bf53a397543e38

    SHA1

    2d6293c653dc939daf5ec3d6c751bc14d3fd2e16

    SHA256

    186ce1f9647533b34b045b235188eb8bfbdcae745d20c8f5099f691a7e3f2c8c

    SHA512

    cb6348a229164fd55a4a64f0f4d241ee99e9c26d739b253ebd44c240b3b75f57394962977f811648063b2c44662a3b489eccfb706d3f0cc9f28916ce74bf1c11

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    64KB

    MD5

    f79e946681c2ec43a5e8720fa38d5532

    SHA1

    3298aeec01afc1b0f7060e9caf768f8f911b2ef5

    SHA256

    39e8814d088c49e5780e7ed6414f32b9ec2c329f9b64f1fbcbf32cc49e9bde78

    SHA512

    da53967efa4ce0ab26e54762967cacf39e28d5fe097a091090b57085e81aae852acb5359e22fd7e72974327e89be5808b43c56af3ee0c9034bb6dc51235ad05d

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    64KB

    MD5

    bb79e9d53044c165289a0386b625c770

    SHA1

    3e73cb3a3e35eb2d1c888ed542c14d0395f56460

    SHA256

    5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8

    SHA512

    46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    64KB

    MD5

    14280968967b5cc40903ae182c56a89c

    SHA1

    2fa237872b8500d9ddd6b4b5d9e43f97f2e20d3b

    SHA256

    65efeeddee80a68a265780d8ed267d61fdd018f94c4d9254acf7a841e40b2b84

    SHA512

    524f7f37029107ac84b554b003cbcba199578c8872993e060a4b617c261ba660de99a9e3fa5d657f8deddc02c7b68f3eb2badaccfa46e4d9e712c0cb834ab847

  • C:\Windows\Tiwi.exe

    Filesize

    64KB

    MD5

    ed55ad789559cb6325d048c931bc07a2

    SHA1

    eb2f2aa1aafee165ca5b1e56ac37402812c57e3a

    SHA256

    3cae60364e851a5c7611f88ec136956f6fef7e1e5adef0282dd1752f49a77114

    SHA512

    e17f0500171617bbc1d85c1991b35c26010ff8b2383b27fbc75d375bc20cb93bfb5c7959004e35fefa3b6fe29c978aab7ad2c53929337cc84bb04d28c28224a9

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    64KB

    MD5

    cde0d134a7b49abb062ac2db47f11caa

    SHA1

    1709e595c8a20c510f9b5edf48715d59a9a51d76

    SHA256

    7999066b517217856996fd257452b59f1617d986546162b695a54b204ee3c0a6

    SHA512

    8715fe05dc46047869d9dc98c3af02abba03990d03598b6c8cf4dc6012a3ab36c128f00bbe475067dcf47a28ffd069bca74509db357bd09682e5766ef0f11d63

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • memory/384-155-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1044-249-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1044-156-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1700-294-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1700-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1780-250-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1780-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2236-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2236-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2624-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2624-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2796-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2796-400-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2832-197-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2832-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3112-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3112-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4296-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4296-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4408-425-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4408-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4412-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4412-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4528-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4528-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4856-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4856-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4972-399-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4972-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4972-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/5088-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/5088-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB