Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 08:27

General

  • Target

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe

  • Size

    56KB

  • MD5

    b0be3102b32edd9264701e3d79b815c7

  • SHA1

    08b6c5c0256fd6475980744d5955a59a739eb87d

  • SHA256

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

  • SHA512

    58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekf:V8w2VS9Eovn8KRgWmhZpX1Qyw

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 8 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
    "C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2420
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4244
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4732
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3676
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1060
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3188
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4040
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3972
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1728
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2612
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4048
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3300
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1560
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2684
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1172
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3240
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:688
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3992
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1616
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2188
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1556
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4284
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2356
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2440
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2512
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1376
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4436
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1084
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1976
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4324

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          1b58247907706a6036549bd2ed5ad049

          SHA1

          e1873e9d8f6161e424d137c5f4063a3a8a56f4c2

          SHA256

          6f66315d3501ab0b60c300f0d39d08965f2787bba64e053a8be695abd982f87e

          SHA512

          c65b86c2b690830d2d91e4690ea4e02983ead1f5b7eb1b02ad4cb70325e5cd8e4296b8445feab4571c71033c1c398bd8c12bb32fe0ee0a2d5ea4da1415c138a9

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          d99cc5763f63569617ea1c5a292e35e5

          SHA1

          98fe017a3c5db78cdbe8bc9128240ed08af45ad2

          SHA256

          236c2875ea3828c1536117212a8474bd3649d54907cb4e55e3c485da1a6fe990

          SHA512

          aee29add9ecc6370c26dddb893ab59b24f0628db9d8605dbbb92e64937640621de6c90e562beb6c357724dfb5e8706ac8da298a7ac8db9099a3432a36d01541e

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          0990c384d04399819af22651864d126c

          SHA1

          8df2bbc2c51252e616e996795efa329d965f8b81

          SHA256

          79224bd18da006981f12ca1941ab752e93656a348a16096b8b5809f3298d3a99

          SHA512

          5d05872d3781fcb9868181722a24b25b29cd3819ceba16ffe45dc6b53650148c6436db748073b24ccc4e01af88f4724713f28365e44a23cc2d6cfcd0228a6fa7

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          ddb0e5ac8ac01deaa8fd87ac8230ec93

          SHA1

          850310df5d7b6f0a00ce1aebc3d69315f433db92

          SHA256

          35a0bdb8ba21d8333f943d96a6645950b8ab95d38309359ee2e888c27a973190

          SHA512

          5fb1814e691dd8fe68e48b0caa13436bd797432a34313a4bcb8815074ab3d170f223b4f543162cde25134c086cc5d2c24a969ae730254bbb8e53b24ff1fe84e2

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          f11208c59165a15170480d46b7f60723

          SHA1

          dff6dfb6f495a27ba8ed51a8e58f9c0e9f0d095d

          SHA256

          79036533e9bbd2af2b6c929fba1b17bbd0efc93c646f6eef6c5aaabf64c679d5

          SHA512

          7f4efcfda3756ea757a5d422c94a7721ba2fcfa11598ead60fff3075d56c72ba95f44361876a810a45efdc6c6399c79b66d6d89a8705a5628eb77ee6adb82185

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          8c0b47e262293a18c06dfc00da233283

          SHA1

          7969d6216878d6e5f1595baec518fb207000f7eb

          SHA256

          c34e4c85463834526a83d05b3195b4696ee2940a37a458919ab91898b3e1463c

          SHA512

          92797ad8d1954531d9a549c9f832d56ad035caa744f33c097887b05e51287810356ca960392f32b34416af9d81b5452935d1d7961cf8e645725f9ab4fb2fec3c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          29dbb307e51cc263748a81f4e2451489

          SHA1

          6e1b5b47c06046e6f7dafdfb2e61b74d3c71e5d1

          SHA256

          a24e2e991df84f7d675ad576c304ac08ebe5a1866938412f1579af4aec9a85ec

          SHA512

          08e0f5e7f2d177ed2ac25eacd40d1d6b0872b60e2a602d611e6f5c4385b0cf41156d3c9288e2850e6ee9f6a6ec1074c48e690ad9bd65c8cb23d6dc37b4fb289d

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          600e1203b8dd0ed57316f877583ea6e7

          SHA1

          a9669fcd8cf0994d6197c0724323ee59046afb4c

          SHA256

          1d89685f3297266704214190bb672ad3579d404c786cc50fc57ba4ba9bc7524f

          SHA512

          840bd4ae405be033685b248275e2804aaa7cae76ebe9d72bea03bd291e78f9083c6060e037a3983b4567387129dc43a98c3cdbe95203e021f736b0bf9231a2d0

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          3ebd5f4f595c5b702cccf79972cc5add

          SHA1

          4498f9ecb52157252504cd3d4847ebd5cbe65a6e

          SHA256

          05c42a53f844e9c040c2a3578d5591eacc88556af4fa577ac56bd557f947f2af

          SHA512

          1e78ed8ba179bdf5edd8d1b8872c20352afdb282395d1750dbd5d7ecfda1a37ac40002e48b69030eef6050ad9f57a515b6f5ec7da185f254622813d1fde86b37

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          3cff5d83ffab0c1cc287716c8f1eae58

          SHA1

          a1cbe21e67775c376c2f4306dc8938aafab735e8

          SHA256

          2260d1aa28444d03c2055b5a158ccd5b678e631929ec520c0d547551b727163c

          SHA512

          4a22880b07c66674d52ea2c2cc1e77395f0143a28bebe37d76604fce8eeeb435b98bffa383bad646cc3cc6ce4e6010c7ca61417cf7fa64d5acf6575f8fe4a6a9

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          152f9c3985070e16de3bf864f648e358

          SHA1

          9f6f2749a9979de8d4975f61f82341e28a5d7692

          SHA256

          e4b0ed86c72a3e0cb32716c9a90ddd8b370c12722fcaac41c9eec171613d82fe

          SHA512

          1b1a02e66be2ed918790e72c95e958339958b67b20308c0503f30dd5198359ce20cc4a3947c748ac584e08fb0b631c650e90c5cb5cae701d6e888fc97da37671

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          db24234e2b2452487414f42f9a598b2a

          SHA1

          5893cd9b681a4c1c048e6b4c6a8c2c040147defe

          SHA256

          e1c0c3dd4b982527f56e2cba4300dd93b71e6312f7014f023df2721e4fb1661d

          SHA512

          5038d55e7c30fefa4cfd6e3cddee5ea61001d803467630ce8e9ebf7371715b0d234d0df88f6d615cb636ddb6b61ac5d850c8b84d2c032a739103c5f8b8a70af1

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          56KB

          MD5

          027f07517d0285d4b81c371888cc9756

          SHA1

          ad4565b7e461c8dfb08fd6f125727fc1066301e3

          SHA256

          bd18659994f8867ce14ade8dd51614856c1cf99a1c8f7076d23f3e5616d49442

          SHA512

          ac5aa6c4b297ad93af110380b33565612d56cec5537908a365ede49b841999fc43ca855432eec0e0ad4ba6f232d40ac9fb25a1c8b3b025e63ad74d43b7ce8558

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          8638a33cbafabf9d668f435709ab8f4a

          SHA1

          5d7806dc40c76b30428437baae89351ba3d79f19

          SHA256

          b560a16427a23ed535c3221d4bcc27c33a0a06cb90fa62ae1dc346dfe0315428

          SHA512

          d5e4e2bad27d53b1c7b7161c4e62358a5c1961fba465234d76b276051fd5d765db3ecca77a334fb78c1c026d335c6aa7b9f566858c0733a3fdcef626244a5d99

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          b0be3102b32edd9264701e3d79b815c7

          SHA1

          08b6c5c0256fd6475980744d5955a59a739eb87d

          SHA256

          b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

          SHA512

          58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          bb9211d60a55ce4a21130baa20ac110d

          SHA1

          0aabeefe7bbd668fae2e6cf92268809831ba91f0

          SHA256

          7464ebf6dd75fc7d826490908cd7676740cf61d3b19246d99aa25d35c6c3576e

          SHA512

          b4ea21627323a6c95432211081b928a97a56ee23efac479a23b76b7c120f2d8900aef4a71773f98095eaf5206d20296f78ccaef1e7cae122584602829beca149

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          48e123848fa5d91b382d49bcc202c105

          SHA1

          b064095b5b6e7e8b7f366978f22394fa88a9e445

          SHA256

          b00e51150c595f041b9cf992a974542f14d14e217856055551ad6204612744df

          SHA512

          29d453e839a4fdceacbab4d96db6e26a2e8273b5ba57d239c15aad76c7c89df088a0b6b7879880666bfec5179a08b399defd0c67142de5aaaa3cedaef705e7a6

        • C:\Windows\tiwi.exe

          Filesize

          56KB

          MD5

          9e04bfb20749015ea9449f34ad60ff7e

          SHA1

          b45b665450337387c6cb55f985564cadeacb77e5

          SHA256

          c4f4d70a24d04540facbab7bc13c2f58f48066f31df2007be81584a31afa2f3a

          SHA512

          9df2ca2dd381f3c798671e9740d782606c5f73180c36f9c828a91dccedaa2a7a7ad950095569a72508917fba25f6656f52dbecd7bb61e2f059626bf3208318e9

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          e69508e2c5823491be42811dce2ac4e4

          SHA1

          3a6a80201b50a45f0f98f10bd92923a24b01c099

          SHA256

          de0abd5bf56925987d3fa75860b6f4e2ba3f7d19993b29c2ab69a31d29cedfac

          SHA512

          55cb335bc7ec205541a5bd333e5d161ce2d69d9203a1e45b70a990ba4c4456adb6ead26e02921e4ca6e2d53a33a83d5a0989ecfdd88f4141ece4a59b61019ab3

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • memory/688-363-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/688-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/832-207-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1060-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1060-424-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1560-296-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1560-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2056-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2056-228-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2356-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2356-423-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2420-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2420-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2424-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2424-420-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2424-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3240-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3240-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3300-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3300-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3676-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3676-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4048-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4048-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4244-202-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4244-191-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4436-307-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4436-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4732-203-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/4732-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB