Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 13:52

General

  • Target

    c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe

  • Size

    488KB

  • MD5

    5953ebd2fec51a3466574c73734b3310

  • SHA1

    02e7ed57055aca483933a7906be4a171f132edd7

  • SHA256

    c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797

  • SHA512

    3ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386

  • SSDEEP

    12288:V/Mz/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VwK2O2HIBEd7M

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
    "C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2348
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1676
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2416
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1956
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2512
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2468
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1912
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1768
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2788
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1700
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2688
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2424
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1332
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2104
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2308
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:352
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2296
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1056
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2172
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2892
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1560
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:680
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1628
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1824
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2888
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1032
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2860
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:760
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1336
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2644
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          cbf04dd8bd74806b3442c452504daa19

          SHA1

          5b8757f7f6e1bcb1dcd2e9e22981744ab1e235bc

          SHA256

          a079d9484eb19dd20cc50f2c1b50bc7a3f5d917ad244cfe4cc9bfe38c25cf572

          SHA512

          669dfbad5af7d65145610ea94c9726c487a5e068a65c0cbe27cf74fb7db22fe204c542c65a5651e8775f57037f81a67dbabc3f810346137deb7bfd933f0be324

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          488KB

          MD5

          e77537010f40a5b5f483d30372ec9a04

          SHA1

          bac99f3f5fdb570b8a6b47610ae7e2d2abab92f3

          SHA256

          8fdddcf3bed37ce860694c8804474f45110df9ebb826e7cabaf905122d0d01d9

          SHA512

          78a8db1bbad0a351a28c082d1cd9b019505dd95bbb9893355f99417415b50b2f81853ca4b517c6e2c77f647d9cf101821552ab8b086b52c0db3a3ca6b95fa1b6

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          488KB

          MD5

          ba444bde36e78ffc2d898b42ef1c56b7

          SHA1

          33041c18aa4654dc8e0dd33c0e3b9f47ee3bba1a

          SHA256

          b5db3b93eed9277812ce085378dd7527add9ecddc87c03a5eb630300f6e7a791

          SHA512

          92ec9df3b59b37277c39beddde4b9bab5c892df328a31f0e75e7afe1aeaf2fdf000aa2b8406a945601613dbf5bf4c8d9d2bfbfb4a90d81153186cad064b3214e

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          488KB

          MD5

          5cdaa4e7b9f04a23192e484784832c54

          SHA1

          94cbe97ba09836eabc2e975cad16bf9c8b06f345

          SHA256

          57009c5583c1b5aa19ebf58d6fa660f38bf3d7c58c6b150f4a28afea0f413cd3

          SHA512

          12b094d0e9c451040e68b3598e06fee8b0aa3b8ee50daf896784844bcee9f677b354644e417fe173d0b5176a78571c6814607c463502acb86460590a0c35206b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          438a8384a19d7a0595330a1caeff1a24

          SHA1

          45833d38ec4d28759cfb101aa96b5bc91217928b

          SHA256

          0348caacba84e6980e5b3bf89710bd474986ccd348d249a5fc7d303b57bf49fe

          SHA512

          4c88e9d7a51c245d8d7e2fedaa3b595973699c9daa626729adc66eff6bb46108e0081a13e501a926a14beb19dd1929e95427557662806cb1c44d10fd84f946ba

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          10cf284cce2bd63ac1f300a4126fb020

          SHA1

          6f63d14f73fbb11118ad272adc6fb521db2b6fb7

          SHA256

          e65753e73bd4a7abe0d0ec6c616172cdfe6cfcdfeaff17868a9b3c65a786d53e

          SHA512

          814cbf1eb9d45a294b216cd8ce25b553388dab90cfd09e47bdf33e9e0fe9cd57fd2dfae62458396381f35f20f3c383ff89ad84b9386cbe4dbd3e11789b92e68e

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          488KB

          MD5

          68a1c25c415ed200ebaffaf2a080f82f

          SHA1

          e70c0e267e77996553afb7f1fd34e0592ea7ab1b

          SHA256

          8098974f91b35b0f293b53ae1e5cb55fc2d72a9962d6280dfdd519645f972d57

          SHA512

          e1042e5ea0ea41edf895fcaab82b90ffd3905ba88c5d158aed00d18ad650d9ef63f02b5a4e417864ed09a095d11dcccc58744a3a5a5aea1fbffab300d6925842

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          488KB

          MD5

          29f971ec5a748038cac0564558632f29

          SHA1

          51b5efb6ee488fe92ec0f89243465c7f93a60ba7

          SHA256

          daa5340fd46dbbae5554e69f971c2a29494876d573777ad7222c791924016234

          SHA512

          7e451e5967c6b077303abc48289d302ba2bb0a7cba6ec4d6bd13265c380691bd3f4c071fe9ca38682e39ae30bb5e82069c49283b9572da6c1f52edee92b89c04

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          488KB

          MD5

          c401cbd190e2a2111ed84623ad49fcb8

          SHA1

          1f260ba126dbd0b58956d2cd5c30bb89f2d3902a

          SHA256

          4bc5cd31d41e2e3dc87a0990b83dca35cb2d288ae2b261c261eed30263148067

          SHA512

          d6263167c6db5e439d106225246d4c90fa002f2fb760c4c5c6e61da31f7bf5159ce8cec8243834680daa8e7b166a4751f8c2796104c307272d4f57d5637adcaa

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          488KB

          MD5

          421f33278ba0ac000cb9f3fcacb956ef

          SHA1

          ddc1ac82f98dca50e663fa06b10963d869f839fe

          SHA256

          409b32d0ffac221173a16e8164a68c38d663d581ea711acac4ebe416763bdbbd

          SHA512

          7d7f5c182fe98aa1bef05b47445204aaed0f4d5203866bcc38d525e80d98dc034eff73c1788c02c6c459c64b31c0752442c7da7ad2905e0302d112882dfc2b25

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          270a1750fe3379466dc2fa9c82183212

          SHA1

          8113c6cb8a42e4ce97ee4dec9ab05a204d4d040c

          SHA256

          18af4d38cce3f9f83374d49572d19b14e13326c1afac0eba6ca1a98de9d567e5

          SHA512

          92188cc37a50806ca029df8bae580f6e0fa7d9d0587ccfb5897b9b4e682ac695c6dfca37212d3e37fe17a1aff60c7b499a21c4b844d41776acafb8db0fffbf9f

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          bba2c8430b55152718d8aa3a29e69748

          SHA1

          6777b0461801d1733adebd4db0add498fe0b0f74

          SHA256

          07bfcb969e428ad53e3539f7906e3ff23d04daa4d3068c959158f783c0b5f467

          SHA512

          e82cf624a2874613b067213a9af5bea2b062e7f4620b7fbb3ea8dccdef906488976587b730d1bfae256f52d6126bc0f252f7576ed13e0e4c874d177c59b1cbc8

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          5953ebd2fec51a3466574c73734b3310

          SHA1

          02e7ed57055aca483933a7906be4a171f132edd7

          SHA256

          c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797

          SHA512

          3ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          488KB

          MD5

          ac82e9437955e15cd506bab204d121cb

          SHA1

          e644ce8c9e025f6e4d3f2f2fd118cd5a7e77ae30

          SHA256

          cff0b4dc1352f790e9eead7611edd1f0bf76c4018ab606eb98a812d72fa659d2

          SHA512

          2661781b8bea2a5e5f161ee4937e16ad40c171233c42f08348ed9cde82190454f3b2c453439818dd41a695a43776c73f8e667df78c0063c89810b81753f95d98

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          488KB

          MD5

          548de2ca8aa457672d93e67908e22f68

          SHA1

          dbec4f8d185af6ee459d65450b040908ed14117f

          SHA256

          b5b589a2906a96bc06f50dee74087b3344310950ca8b25fbc5c390394b4fcc91

          SHA512

          400c6c1f1b644406ccd36ab6fc0055f006b339e20b621d4de63ca1331866555994582ae5ee132a4dd9558c9f7fb8fc672811d8ba5006f8b947821c54dc872e33

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          488KB

          MD5

          cf7e59d1f5c1032874822b24f1eaf5fb

          SHA1

          4c90be622487b8a3c7276c49abad9bf11ce50f9b

          SHA256

          3e8e820c9434e288359f4668a071c990bb03523cf1bb1740cb4cc473f6f0a82e

          SHA512

          6dcaae9a3ce09e161313051d6397dbfe1b42133a3e381e52243b3303d914704dd24fcbb1d38f4108da43b2679ce69db3957134dc7f1866e7d818a1ac7741268d

        • C:\Windows\tiwi.exe

          Filesize

          488KB

          MD5

          ce413838dca2ebe04693f608ab72c3e7

          SHA1

          e47c0ebb12d2b9a23fbc22468fa8c5ed9b617bce

          SHA256

          8dedba30d34a4aa780fa86b456752ac5f2dbdf8148ad74e6d1637e62b8f6000a

          SHA512

          cb39d28046b05a47ee9b15683b3722803d05a4dd4be6c31e266d8163ff893c68aa34579436b499e6c666d53664bc0acce64e7b15e4427f080fd17251c55df209

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          9691be527acea3df5e832488c08d1f78

          SHA1

          51d2e99a5fe494f4193d82708a68f3e297a0cafe

          SHA256

          465ab76d37735d8075cd283a1ef4f14d1f9c777117fbea6db26073ac1d5bc7c3

          SHA512

          01177b5b737ce7ddeab5ac12f5c3d8b0e0064a80e8febf3507575eccaf24ee63a830083246395a972db602e44651ed3d975b515a5657008d20b37336dad3cda8

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          20d8d5312ed06913846112075c9699a9

          SHA1

          cfed976ad84fa8f059af1df0df68effeb586d2c3

          SHA256

          fbab73e0da650968903b034c45c800e5b35d6858f01afc904726e140ad1c0093

          SHA512

          78ee8a21a7fbedcffbdaa04a07fd81d8e5a9088a06f61552603419039bc1792b9225688435da07cd32fd6b7cef71f97411dbb77f4c2a865b1dcbb49d1f7135f4

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          7c213c5086079158acd667fdd6c0a7c8

          SHA1

          4921c072ac9f69d5c88e6df3c632d4ffbd57c768

          SHA256

          13df1bfec466bbc19abc4096da5c768c87a7a90f9b384b40f684f4d7efc2698f

          SHA512

          c76f0b4d1e20c6ec73da90ffb5602d407d902ae35594767b9d410403eb43c187ba7392e101b8421bdad22c666cf42243c1cd1d8602c5fe3224cb0882b31ca1bb

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Users\Admin\AppData\Local\WINDOWS\imoet.exe

          Filesize

          488KB

          MD5

          cea2626b00637275d35d410b80d90637

          SHA1

          af21fb9f93feaeb0d2d68c6161d834c33ba2be1b

          SHA256

          4d145678a136f819cfc26e0956784fc6305e3ea895eae546988e3fb9a4da9841

          SHA512

          ad72525ab48d6dfd6bdb6a61d7ecc959b6799d1e1ad610fcef1ad36242b37078dfc9e848acadaf35a05ad69e2624f46e1b515e22cd6720e478379c9cc7cc839c

        • memory/1332-451-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1332-184-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1676-314-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1676-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1768-288-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1912-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1912-419-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2308-347-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2348-166-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-233-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-111-0x00000000036B0000-0x0000000003CAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-236-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-183-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-180-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-98-0x00000000036B0000-0x0000000003CAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-109-0x00000000036B0000-0x0000000003CAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-239-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-240-0x00000000036B0000-0x0000000003CAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-165-0x00000000037B0000-0x0000000003DAF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2348-427-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2416-235-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2416-234-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2424-177-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2424-167-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2424-178-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2468-421-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2468-420-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2644-416-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

        • memory/2756-390-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2860-444-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2888-432-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2892-422-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB