Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 08:13

General

  • Target

    a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe

  • Size

    488KB

  • MD5

    96491cc3d37f3c953a017fd6bb7d80f9

  • SHA1

    9eae6f9e6bf78055de34233d46f2e07fb054c1c2

  • SHA256

    a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7

  • SHA512

    92efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa

  • SSDEEP

    12288:V/M9/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V+K2O2HIBEd7M

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe
    "C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2064
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2744
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1828
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1744
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:900
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2488
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:884
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2284
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2476
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2768
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1404
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2036
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:524
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2764
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2828
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1692
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2472
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2992
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:608
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:264
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2560
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1968
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2016
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2652
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2700
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2612
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1924
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2872
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2720
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:692

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          488KB

          MD5

          6633049a1aed49120b69c18fcac8ec27

          SHA1

          361641737b8be4b24f0f023ed3d615c68efe4931

          SHA256

          041f562ece22eeb5227d84a83d241830f52c27afd88d3cc70f59489f063a86f7

          SHA512

          f009fb7f5ed030b693b87557daee5d55252195db9f3093fb47b911b2d2d132be63e93f606ef7198eec243a796aa97361e1f9cf9b2369143549799f15b9e34bf5

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          488KB

          MD5

          3b533d48b1d5815930b06d0bd9b9c75c

          SHA1

          bd6d937eaa20ae319ae49a4a99b797cfbe12a605

          SHA256

          914dee444f8e5446e3cc007e8369e39889de73d87c6326615c9eb0d916b98dab

          SHA512

          2e584181bddd89eeb4dfa1c6fa5aacc546c775320d2de61b861827584f0e11ff9bd680e349a92ae0af7c9d53c808f1e0cde217a8d9c6c29d0a0eca49a2e5d8fd

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          488KB

          MD5

          6162837adaab212fb0c7d40b219c429c

          SHA1

          05772ef401784dced15b4ad98ed69353161200b2

          SHA256

          7d436f3f4f28d0ddad821b65eebdb7f8d81fb7079d65aeffeadb3a59237105ba

          SHA512

          feb9fbabc3f71ac6482420f86268117d2f8ca0d75b78caa8cbe944f9810ff03ca202175d93d931866aa21ae0f2d7b57f1243db1cb89fc4dbdce374963915d140

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          488KB

          MD5

          f86a75e4600584523b6827adc2eca624

          SHA1

          4fcf4e35f124e1aab6528e673b4cfeb6521b2da6

          SHA256

          d484123933be5472cf5fe298c16619c3d012a33653a41706db77c4a092a04170

          SHA512

          17edba8af1f53dbab4bb434f83dd6e408c032b074804ff89eb4e98aee5a3d317d7002d6269b4a050393be1d1c22a9b9aad5b0d1d76b826fae2f30460dbb350c4

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          e1665397e369cf2bfc06846deb0bfc88

          SHA1

          25f685463d6ab292348b0c166b177a2e601a495f

          SHA256

          2fba78024868aee19ca655a006de9c7b4fc4fda478502d10b7fd4a4bcfc7255f

          SHA512

          316d1ca212513478e5db07df34a8f2a1ef76058fd180e617cc52407b634ccdaa943e44920cc3aecc22dd73d2dc7dbd16b9758658ae524dde83893864424e3302

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          e26b208f6110975bcf772f709eff412a

          SHA1

          cc46434bda02969260eec216a60797ff2a35ad2f

          SHA256

          3153cb3b546c00251bc85b8d9d9162d5b5eea0934acab7cdc57dc8a543a24f63

          SHA512

          74c127de4a14a6ed0067e5f3a9842b34fbae83ad97c0a605a279cf3aae7b0c7d145d4d1431914c236283d94041053414fc1bf485dd877e0f3c8af6dc8898640b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          488KB

          MD5

          7077c20faea6926f99323fd10a3e6c06

          SHA1

          723802b3d301187e557a9dcbf5bb75b3631e86aa

          SHA256

          342de109b9298fda6d098562e86ab29806ae65ff0df56cc8258181c27a6b8ae0

          SHA512

          c4a5a59126ca5d0efa90b2a3235d9568b72ecd66b7ff89903f4be763e271917bca9301efe867df76e71b13d5c480de666867d535bdb820475d0d1c7e3e6a8a5d

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          488KB

          MD5

          bdbf985eeb3a00569efb1c103296852b

          SHA1

          810ef44e5c22a3a731fda70091cd375647a1c2aa

          SHA256

          a2b6de6b4762b020e1167d7696893045d88c871267da034036f5ba8b43731963

          SHA512

          d254ea323d1f71b9e70b420d7d46749e4963738138c0418612ac752a7a6ecd24cc4fb3cdd11ddaa1e10da49860ee4fadb79a7696df7a166d6c50546844e482bb

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          488KB

          MD5

          79f9d2aa032958f391b231127156467b

          SHA1

          8b8bcdd83f8a833d40c2f03eaade92ec1be073c8

          SHA256

          5dd066bedbbf657836f9627b7dd813579039470668f9a900b6a8ea0fab747699

          SHA512

          d061b54e9278c26c2b3834e54db71af64e9e2c50c2a89eed7192b1c07d2c2f1ab0de91e1460ca2139b5df31c05dd20b5f92baf4fc2168c75af89f47f97346185

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          71f5a1da0764a93258c22ad54572aee2

          SHA1

          ab8574ffd941a363919b1a17a96b1f356723964b

          SHA256

          960ab4b9da31b89c9d28c1e8961d2d4532c00f833bf8a26b4f690785f1a90fc6

          SHA512

          76fc10607b1218da6390e1191cb81dc187354fe56cbff2f23a37ec10ead570558751c2d0369fc0ffdac78e6db3a8b30358148a4c8000ec6baede46a42eef6447

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          6905ce2edbef3125728cdf8c9ace0656

          SHA1

          21485f8f7887de60d4b866ca796eb12558840d7e

          SHA256

          9f1bf859c3aba28ded8417776d77508d7eaa94c22b4a8da5176ffd7fccc22804

          SHA512

          0a285ff72e88b3a0e987125a5d46af1a03ef99ac7728d2c331d7b764ac5884eb95434552ca5ce7cf757ff5d2fc79e2b9139479560443b04237edae3adf8a4192

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          488KB

          MD5

          96491cc3d37f3c953a017fd6bb7d80f9

          SHA1

          9eae6f9e6bf78055de34233d46f2e07fb054c1c2

          SHA256

          a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7

          SHA512

          92efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          488KB

          MD5

          630e543f95d02184cdb81a9b9bf6c84d

          SHA1

          d56ffb5201f12bcd70cfa4e76c351df5f1752112

          SHA256

          e6db86d13deeb478637cf330c25a17ea43da4277e14edaccbee6e94dd41dbad2

          SHA512

          12f402553d9d5dce23fc87f6f8aa10552c06a33b4f3c9efdae4e57d83ade0a81a644f00178b36905ca24481d71fa3ff8a8b4f50dc3004699bb3ef90fbc3cdccc

        • C:\Windows\tiwi.exe

          Filesize

          488KB

          MD5

          9d8af6c4a88f390bbbe82e7c4fa9606a

          SHA1

          513e70e8862da637252ea9deda5d3f27fc0b8aa7

          SHA256

          4d6de1ded9bca6725ff4581b09250e3c23d41fcc7d2eb16264702c9ecf78f6af

          SHA512

          bcd79d30d04cedd66c67f37665860ac315bfae0b48a49257378f06bbbdb7f132860d0b2da436f6a6aaead8341d86effddd81721ea7b500b2f8c0509f1341de95

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          bb7c08b547c86d6eec33fdfe7e28bd9b

          SHA1

          fe94dc79cef9b52453cc5392173ad995c4af85f9

          SHA256

          37de5d948eaec114b572a800c97e368517e644bf0c32d6f79476db77cbf5af09

          SHA512

          b64ebb89a82c9faa5b0b59c4f892098d4d08b9940b824a460ebed12633bdbe5d07889981830964bcbfb4d960b1867dbc0383517b305d73b3f4232b5d07342971

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          02fc847613e718b3350c86435b3b982c

          SHA1

          3a66b870ebb30b7e728dad225e6988948b08af59

          SHA256

          3a0c455a919ef80b06e5aaf8c8052b99870d11e0076fb7ef667a1a47e605f3cb

          SHA512

          f76e1822eb2de7817bc547f107cbca2ac9d6eea122cb2f92816cbdfa0ca2998037280e31de708a2548f9e647726c48ba1a06a001318b02a2c0008d6b827d49ae

        • C:\tiwi.exe

          Filesize

          488KB

          MD5

          53d5e798bd73e58a00d884c68e3c5a18

          SHA1

          0cd8c65dae5ebaa75829750a49a743e75b00c0c8

          SHA256

          06b6d588621e265000873fdc8de32043e280798408ebc1b646253331c5f3f484

          SHA512

          92adcc92ea6f70431c0c5f4138f7b4f1a2075328940994ee35ad0b32cde1608d338f2a98f3dd3eb19fee2b1a068a82a9b150a464ee0bd3ba59570e5b8750649d

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          488KB

          MD5

          afe67cddd6b3ed4507f3e25b267966d6

          SHA1

          6b53840d21d71a5d6a784d9f1fc20d17d30ae8bd

          SHA256

          65d2e51081568250847751a02475b2733df70dbbb0908c526931ab16ec1d9b17

          SHA512

          2380c77f20f227cf734c4759c8c3c585793575534f72d006f7cc20d94309b46eb298122a40cff38dc563c28c291efc23906ea8da3a15cb99a3773a4159c22b07

        • memory/1828-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1828-250-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1828-245-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2036-325-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2036-323-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2064-221-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-239-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-220-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-242-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-362-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-100-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-110-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-237-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-111-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-98-0x0000000003320000-0x000000000391F000-memory.dmp

          Filesize

          6.0MB

        • memory/2064-396-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2388-238-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2388-229-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2472-244-0x0000000003540000-0x0000000003B3F000-memory.dmp

          Filesize

          6.0MB

        • memory/2472-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2472-243-0x0000000003540000-0x0000000003B3F000-memory.dmp

          Filesize

          6.0MB

        • memory/2472-178-0x0000000003540000-0x0000000003B3F000-memory.dmp

          Filesize

          6.0MB

        • memory/2472-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2472-363-0x0000000003540000-0x0000000003B3F000-memory.dmp

          Filesize

          6.0MB

        • memory/2488-294-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

        • memory/2488-296-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2652-391-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2744-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2744-222-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2764-356-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2828-382-0x00000000002A0000-0x00000000002B0000-memory.dmp

          Filesize

          64KB

        • memory/2872-367-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2872-366-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2992-180-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2992-241-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2992-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB