Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 08:27

General

  • Target

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe

  • Size

    56KB

  • MD5

    b0be3102b32edd9264701e3d79b815c7

  • SHA1

    08b6c5c0256fd6475980744d5955a59a739eb87d

  • SHA256

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

  • SHA512

    58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekf:V8w2VS9Eovn8KRgWmhZpX1Qyw

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
    "C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2404
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2740
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1952
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2396
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2228
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2668
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1088
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2520
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2156
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2312
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1668
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3048
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1704
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1368
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:768
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1312
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1732
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3000
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2876
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2712
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:568
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1980
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2872
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2848
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:708
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3004
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:700
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2176
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1508
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1084
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1960
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3028
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2868
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3020
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          d2b09605bc0f0a9bd7e2679e5ca80f33

          SHA1

          0731aa29ff9289913941d19de5f9ea9cfb1d4901

          SHA256

          6815469edb0ed5548dfe86c03093ea11b1447ced841f00db2fbeb5b55b39a3f6

          SHA512

          ddbc4eea8d0fce63e5d7127a88355c06647d0225e66debde7a980e9c283e67463b591e445e5659c9d577adbde25c7a2af5ca8b15fdffb673057b17d82c91643a

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          bc7ea5c7e2f396c1657fffb7994255aa

          SHA1

          d2c9b836e59c3e8ecbcba7f8c036c48c04eceba1

          SHA256

          bdd597f815b80d817091750da96e32435b5f909e50e73d08276b09f9652008f2

          SHA512

          02be12ef8c313a9a9eb95fb9a3a3556a718e9f828006184ee4e256215eea56b70e58e0eeadbe1e81d4adcce7bebb2efb449f98a727d34607e3475c48770bfd28

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          f040e3e4d4f81482dfbec84c848aa2d1

          SHA1

          d0520bf48642cfd77d6fb7bbd3228f514dacc703

          SHA256

          23227aea29be10f2139e287d44e9ea44146264010654ec6d30a8dcdef22f393d

          SHA512

          a64757fc76672d504cedca9dd21009b28956dce83c6220db11cc800c77c84c985e882945483f8e65d1da2ed66e93fc1864c74f45a0fcaedc711690016e803178

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          15bd0b5e1783570c99fe22aae51342ed

          SHA1

          176c2442ee85e5ff97c32a5616c183bf969c3406

          SHA256

          1656d9800a0cecaf3e02df72649e85f0085cc7a633b060a061f70b2b93964592

          SHA512

          1b1fd89916422bf2e8dba866caa695dae0e079e80bc22bcc1be6ba1b4b09c3818d7a811621b2416405007d4c01ab7c50765da65bdb05a67179c6fb5a1f4d40a5

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          b10bf64ad9b13908783b5d545343f703

          SHA1

          00adb3183f8cd0bd62a0d017aa499403a606e1c7

          SHA256

          fe8ae222ab1a409b28719577d512dd7530d207277ac10b7e854d64a4144afe64

          SHA512

          b19350ec9ef3c59dc3ecc8edde535ac0fd1697fd693dec07b1a64816daecfbf554083076a86448b5aaefda6d3987c51e876386dcd9914df56cd706b75539e075

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          090877d9c1c842142912cfe633bdf2c8

          SHA1

          158ff7652f9a1c9825458849aecfffa9934aa522

          SHA256

          ba2fe8c0ce0768b09a264cc58395d1e8b6de41f7aaa07ac8f7743277b707b5a8

          SHA512

          018374917ade2d5b36076d7ca2b56db95a5a20202d21a6fdbc234990be4ca82751ad966e79571528bdbceab50ca3a042601d6531821b5a0ae5c037cb40d6c23c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          3bbd6647f7d24e65f286b2b8177127a4

          SHA1

          f7cf5614f0e0afc0011c27e6fade598efbed1c92

          SHA256

          929e96344a5c046fd8ed1592f7f53f444d37402ff210f1996bf2775127f933ad

          SHA512

          b0366cda2d22cbd7dfd32026737190b1014da45a22791d8ce6e9e66085c8762a825795a24b56bfd5a2122c795f11d57385300dac7c8588283c2486a84c6cbea7

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          5cec5f0a046b514ad9ac38d271e4afdd

          SHA1

          96330f99273065b51af64a3d7feeace400a63231

          SHA256

          89377e2d3639c985e3cf9a9e4ecc35790ee142780a5a5bcdbbcebd32ac5414fd

          SHA512

          3dd8062fc5a08013651adeb53ff4ba13a774e04dd2a99b42a6733e61d785384c04063501b40153e9036b600612bcd0938d493027e897a9d389b151c60c113ef4

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          8304c36369390a06ae099f9c4cf2639f

          SHA1

          d9226db34cb6b43843c153a544e2690f61886d9c

          SHA256

          17676b4ef64b2f7e7c686c5a11ada95144499b821ee32a9e41c5c2e94f920cf6

          SHA512

          63afd86e2949d786db4d450522882ec61cce97af035e8d0a350548a79c191df55c9e24ddb05d19e99f2a376ecdff9c4bf83c309b02f2b3b742aa2eda31a03455

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          326d243250dfc5fe63da5b78b70bc716

          SHA1

          666096dafb6dd12de38fcb190dfd0fadf29d819b

          SHA256

          9bd43994ca6f32dbc75e68c73085eb0b7d9fdfe28c593085a93aa9717a26d37b

          SHA512

          aa3d6eb5873fe9f9277d5d944c66525dfd28d0685c124f4e2601182f3f060d9b8f9821a5fe49332c304a1c60d45a5be05e4043def08da9dec65c9e1be151258f

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          25ca7db8d6fa75423e56ce931e022e67

          SHA1

          4a8bd5b89c646d9cc423279b7c735b7a49509658

          SHA256

          aa8bbdb780c316e493ca67c3b0967cb3f8411498d5a8d267889be95b07f9aed9

          SHA512

          db4e85154c6491a086e712adbecfe5bcb387295bc7c5143fc7686b73708490f2190874f4139f3eb6fd5e492fe8f796af207465171ae143f37a152c466792a609

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          3557620cd6ab2144210fae3ed0cd1827

          SHA1

          7db125c897d51760ba75918cbdf119f48112fadb

          SHA256

          6c1e1ad772f5f0f56130da6ce0a68950e0cd8d99e7a6755eb645f0bab7b7be53

          SHA512

          5c22f38730cd5f90dd9702ecc7dbe8222efae7d6691e0c5267131a86124590ee3a8446cf199fba116f51b3eb5e5aed236bec3952d9b1494b9a47dd50bf16093d

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          0060e3f52f38813ab4b1145f1c2e61ab

          SHA1

          912934d3dd6192fb586c09ad840cf1f5faf852f8

          SHA256

          b4af52539447a9d170e50db13c2085b56fb9513ef9b42d491589b32edca5ba56

          SHA512

          2b0f43a37f5e6c2f686955c9ce8c85747c55815f8f6d63f05c7de14a543183ee650a0bd4a5d8e78b7c25fa720b5b5d947cb81e9a09adf05817d3e41b4ad3a36d

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          ab15918c976b1884d52c2500db049fd2

          SHA1

          d3d648d224ab8930006175169e36e5282ce3e800

          SHA256

          fa477bf6fdec992251a9f1291a79fb06a189c9ddbad5ee45f16f2d9817de05b0

          SHA512

          c6b5f75ff439d6ffd4e16672b4931061a70835673cea057e90bd96377d84aa0d49ecb0c2c09423b27a1734e3e2bd5156b3de54bb4c9da1fc001971743a354e20

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          b0be3102b32edd9264701e3d79b815c7

          SHA1

          08b6c5c0256fd6475980744d5955a59a739eb87d

          SHA256

          b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

          SHA512

          58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          351afc7bee404b7bf0d58833b530be22

          SHA1

          9d2e10703c43163d799d07f9b171a1858ab16f65

          SHA256

          78725526ece54f68df207cb7b688475f658f2eeeb200ebf075814ca3bedf3a3f

          SHA512

          96915ed107f75fa49dae0c8b72047ef11782994f3bc8234b90927afc334c696c5afcce644fefdca6b23551894c60f49d466ae7ed2bbad26ad6157ed3d27dddee

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          e4f6ed8488bf167c7def663e7fde1fc9

          SHA1

          54d698a655435112c947281681151d2a62282ed9

          SHA256

          0e08a351f1149f99c82ebfa701753477f258e32e9a64fa34d087d9412e296b14

          SHA512

          adae634ffa0b6277dba9db863a5ee3980eaeeb9ced709e4a939bfa3636f22121e5d9965024bc2d9b6c1b624d1cfad4b81733830b52ad2fc1b34e9323191b8c3c

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          f75f0b6ed664e341fc47430a01152a11

          SHA1

          cc0c1329df5ee77ff9bde5105022694d3d0e39a8

          SHA256

          06691ef65e8535139a8ea60ed9399b4a5a91bf740a4980245cdcca0272218695

          SHA512

          af4e8d6f209c92550de253c553b6b0788274fe14a6d1af83a7eff0496279b1827f3ad43d0bf933f8d5db6ad1da0fac274e308ed0fa89fb9cc45eac9745b66a72

        • C:\Windows\tiwi.exe

          Filesize

          56KB

          MD5

          a32bd001152a4efa75d759f30e3c5681

          SHA1

          7734b32963b987ed66d5352808da6be9bda6fd50

          SHA256

          92c85d9372a8f6cf5fd2c1175322ee88e30f8b191d869240ae4f60e348db1e97

          SHA512

          19f5f49a659c703c7eae5f9a3ea9f2385264c939f56ad87f9785e4fb9e9ba5b5bc38472126e6bc805d3424c0b1d168adf9f8cdcb6bb27e29043ff283fb89b5a6

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          b56414214748f9d28ca538109637e6e1

          SHA1

          7df00d8199266c429f7e2ebe0036857fac36841e

          SHA256

          65a0ada34732488a094a574a877f3ed02df9ef3a0694ebb0fd432cec420e27fe

          SHA512

          d7383ffedd8be0e13d9dc5bc2a1fd821fa963f67ffca174576a5b2da305dc204171ec36b05aefcae5aa74fb168a8d95f3366538d8047a46c5c8a186f9dc5d59f

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          ca87226c8c2120428eb8890cd9b2fa8c

          SHA1

          19bd86a1317d8bf5c6f047ccc82b3b43db15b545

          SHA256

          c8caf94bbcf1e35c45b40d5e485f9ca74df5121a3f1a4a4a81448ff5ee67ecb7

          SHA512

          cb0774779a5c2f5a957ec8b3a374e0d22523f56776b38b94f14a952d35758c4a8cac6fa78a1eecd0b2c1581f25589e479dd8b41f82f88e68cf2308e890273805

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          56KB

          MD5

          ce759bd98c56b64463ede3bf3f33df57

          SHA1

          e9cb6bf61369a77926cbfea9853709c4201ffdff

          SHA256

          68155b74d131d5992e55c1774cd73761463acc60ca97abf33bba429a90ac64a6

          SHA512

          dc6b6af1d643e88f53ee79b6a6ad958f04976553e3c9184a4c7b232521972d006c6f63241df5c8933ac21dbe1504cc9c22d54b459c88b155311bc380c0611641

        • memory/708-422-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/768-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/768-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1368-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1368-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1368-224-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1508-425-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1668-329-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/1732-341-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1952-214-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1952-158-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1952-215-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2156-291-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2228-296-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/2396-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2396-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-207-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-338-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-100-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-110-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-112-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-299-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-424-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-300-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-98-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-226-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2404-227-0x00000000036F0000-0x0000000003CEF000-memory.dmp

          Filesize

          6.0MB

        • memory/2520-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2520-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2668-331-0x0000000000300000-0x0000000000310000-memory.dmp

          Filesize

          64KB

        • memory/2740-337-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2740-217-0x00000000037E0000-0x0000000003DDF000-memory.dmp

          Filesize

          6.0MB

        • memory/2740-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2740-216-0x00000000037E0000-0x0000000003DDF000-memory.dmp

          Filesize

          6.0MB

        • memory/2868-383-0x00000000003C0000-0x00000000003D0000-memory.dmp

          Filesize

          64KB

        • memory/2868-384-0x00000000003C0000-0x00000000003D0000-memory.dmp

          Filesize

          64KB

        • memory/2872-389-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB