Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 08:31

General

  • Target

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe

  • Size

    56KB

  • MD5

    b0be3102b32edd9264701e3d79b815c7

  • SHA1

    08b6c5c0256fd6475980744d5955a59a739eb87d

  • SHA256

    b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

  • SHA512

    58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekf:V8w2VS9Eovn8KRgWmhZpX1Qyw

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
    "C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2236
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2732
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1152
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:340
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2756
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:564
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2332
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1420
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1552
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2964
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2884
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2196
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2824
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2360
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1368
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2400
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2744
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:560
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1332
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2472
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2276
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2912
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2612
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:848
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2680
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2060
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1684
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1988
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:576
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2844
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          08be0f367038f6aeaf70fad62ea1580e

          SHA1

          b348accaae4bb6e11a044f8fe017e8a2857c99e8

          SHA256

          3e3f3b353a12a89fce72495c85bc32951e01bb035e2330a5fdea165163fd1fc8

          SHA512

          789f52d982637fc72be5de95d070ad9c70a1b4cf8fa5d88f71555899c28c0b0ebf875325cfb2896e8e199a2ebfad8c52a35aac8208a21302915fb51e6869ef0b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          d48f3fdb1fec8f16cd34c32fc7ad34e4

          SHA1

          7e8e5e9e2e8fa8d7a5219c518893ff6f1596fce2

          SHA256

          8754f40f1580c45f156ebc0ccb570fb30cc48a98e38f07fe43b0504332010f52

          SHA512

          11699cdf621d715a1b9ec5d37e44f1c26ce83f86f2306f55f02b36f0c8cde4d633bd4f6ac0174838eadffd4f2d5ca5ce0e6077118d0b01f7460aa4b50cd95b0f

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          94de917f7875ba9e7d3a18de7efe62ca

          SHA1

          0432bc4dd66bb88ec5f50f4ef180288143c71d53

          SHA256

          ab818f5b37738332590714daf9ac9d2bd6223607664daf9c61e0fa7edf5fe9f6

          SHA512

          bcbb52e170fb59254c86e35ac6a95869ab34207a40402a38fadce31f13dd7d1753d4bddeee2f2b9ea57ee4c1cad9dc7e76c6ff6407697ef652ece199a95dee6d

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          346cabb6e4dd5cd2ad5737c8ae6daf17

          SHA1

          9c3de3f82d3a6ca276b2698be6467ef44d080652

          SHA256

          7618a4aac93ea499b5dc06bf9cd6f75393e8ea9749093ee70b06c8a3d9ad7e9e

          SHA512

          484289b7aeb1acd6d897f0cfc814d0eae63d5935241278fcf1dae162800e379df98011e7215ba585805017a817b1957da50e4b36c2a91cb75abcf7e1faafde9f

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          6134fcad73ee96a14745e6b5203a6913

          SHA1

          847918f1c904363392d2b2fd694d461fe690ff2f

          SHA256

          15f56a001dd3bc38d07fcb331f982ae8a7053c7952f0579ee4534a6ef8bdeedc

          SHA512

          1ad08ddd8eba7362f7cae4e8d8a15c2272a7a45e9a0af5f3137df1793eaa043e5d5411b521f1b904c95d03013ecc483040968ccba610f5b45c467c9071b3539a

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          6adc5a7d85e303302e6f28513fda6027

          SHA1

          0daf71cbdba29e11c2d2e2d752bdc8aed2b3cde2

          SHA256

          68218542f555e7e51b3299ae074f1bf3890971a6df01f037cd596a2b074c64ce

          SHA512

          7d379f27dc62a94a22edbfa111426b85171670ae3bce787f9d9d1a694944df69ba6e14f5e96b1b0f48483046e2c37889479298cce620abe8240ea65d03d6a1de

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          891bf580764eb62d1b9a8fbd75e5bce2

          SHA1

          e9d72401880d46b68b130a2fa02d4d8ddd01ed6d

          SHA256

          d2335356c8a8a0f24383abcc4fddbd30619106d6e49acd95e5985096778422e8

          SHA512

          7693333d22497b20960c60833bb66a247d14eaa912b5c0eba8fdec482f7444d34cec3b30794f9caf794363c5b8285ef3dd388160f8c05e7955a9d6765a46ecad

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          aee87b2182bb9da8e915d0bb36bf47fb

          SHA1

          e21d3327d0b8b0482b7e4a853599b36275c3b6aa

          SHA256

          e416a6c602cb23da17ae8887d9337f221800329e56581745f4abd0dd1081961e

          SHA512

          a0c3ca5bd848b7b8530fa2e4b2ed29d9e964f3e59878edf4d379a290f95f06a2e8a89786010039f97f3cff94669f83be918d4d80228275b2c4a8a89763fc9017

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          c6ee7b81883ef3ff4a66a69cd2750a27

          SHA1

          1cd3dd5d3d7bbdee307e95f9e0d568c154c44043

          SHA256

          9f3c6610930fd97e14f98d6b105023cb11d38b8b9b636c1f70fa45b35348983c

          SHA512

          6c73a527f0241dbf344f85d3ef479eeff4fcc02b1984dcc7fc39c10145707f9a0e94ee2daecb3c45045d12de34434975761c6ee286184f17379918de90af5ffe

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          a78a1fd42a47044734f3487c2cb19eb2

          SHA1

          11ae6d7367caef88a1efacafba01190d13701d75

          SHA256

          99a841d8dc837dcba17782ac9142c75978a2b3c079776cdefd15540cb7e31365

          SHA512

          0a4ba6e86cd20a507ac2fb23c574765f5ef82c5b59a58a85ca6389f82d2f87262afb8f070a493b17550959edee03a67d21e03f635d0cd490d81295be25b1f129

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          f44cc0b27b1b8e47b5e5f5bac4787439

          SHA1

          43dfe29434b7c526c10a1dad41c39592fde17847

          SHA256

          1f881a784de070b6cebc88b52838a431d0b7b945072f0f03a8824073e86347e3

          SHA512

          1f289a3033fbd3a850b8c0f4d15cedea993ba857fd8de7444ca930fc98d6c40ec38565726c323fe1e0b19ab1fd5ad7f831052c0f481a70f5f9571490d6c1b322

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          723055afaee0ffdc9c34108228064c29

          SHA1

          c8a1b62aecb53e7355edb12bb54dc6435ea2c91a

          SHA256

          4fa51b6429355c803ce344b57e5af36b25352575d38e1dcb0a9125045e3aeb0d

          SHA512

          01ebef95879f0fb605210bc3b76634ffc562d0c89f52ac99c74290eeac352817f23fafb78815293f2f2da63164dbeca1e0b96714dd8c11fe9842da605a53dcc7

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          b0be3102b32edd9264701e3d79b815c7

          SHA1

          08b6c5c0256fd6475980744d5955a59a739eb87d

          SHA256

          b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

          SHA512

          58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          b467127e12646c45ebd4ac770c06e44c

          SHA1

          3815fe0e4d418c9dc598bf5a43add96117134a5d

          SHA256

          50a79d642393b42351d7aabc2bb34ea9f95332804288d6a9f39967595705cf5f

          SHA512

          e0b617e068790533eba89d5fb7b1a452224621c81b100fcdd53544c7c49137510ac81b53e5b5b20c2f038c96660b73f3744b5a5bb02fe9491b3597c68d4886fc

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          569d69281213c1d59250396cb937361d

          SHA1

          621391b8c1ccfb9d6c4c56bdfb5a24ce73901c97

          SHA256

          7f1247a73fbb7c7c79460d353f603f23c8f322761cf5498917c2abb219a851b6

          SHA512

          40f5f6bd231cae8179d42b8216f297634cc0984c26723629376417d1a54fb0560321912bbcf964276af110874c76170c27ef87d6c86cb9c57e56b222a25fd4ae

        • C:\Windows\tiwi.exe

          Filesize

          56KB

          MD5

          fac4450009fbed900e6a4d62f7cd63b0

          SHA1

          748e22ae791f5f6fe7d33f2d6c1fb61ae059541e

          SHA256

          6a3bb75e5182b1c19ac9710ff7d0f5a6e81ba34450319794c9384f6cc7171c56

          SHA512

          5ca6365aab85bfb90abe4983cd7c327d5bcb61ad26e1624125e9bbe23ad90998a29cfebf7986e2bd4f76510b20b20593cab4e9730a5c55e41e2e52a9aff1c361

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          e1fda0a187004401ee2b61af6dafd18b

          SHA1

          b7cd08b2a1b31f5eb141cfc007021d9333dd945b

          SHA256

          3b998df869f04b86e826dde2fe07090df927dcdfb6d1cafee9e2d62a070c183f

          SHA512

          35ece474659714e79ad672b9b1012c4597b48ebf4c238362e3fa0a5f260fc54319d21f934bf5b6395b885ee1ee2da609dc421dbf1a9f9237c7883ff0374b5c2a

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          56KB

          MD5

          caed98a10f904f2c56c3ff0a830dc671

          SHA1

          39bdb9b86d3585e5f85f8c7a02b9abb365c79bac

          SHA256

          e27fba8aca4652bde03327bcf3c531c5bdc77aa7b90d532591763703446d46c5

          SHA512

          24d05fea43e2108b160735f0b6a618444169be49eb834dbaf335979413ecbd4051c2f827f5e258b517606083a66bada8c0272e09f8a57f4a64fce743386109cf

        • memory/340-275-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/340-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/560-422-0x0000000000220000-0x0000000000230000-memory.dmp

          Filesize

          64KB

        • memory/1152-214-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1152-221-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

        • memory/1152-225-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1152-226-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1420-452-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1420-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1552-299-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2052-421-0x0000000000230000-0x0000000000240000-memory.dmp

          Filesize

          64KB

        • memory/2052-420-0x0000000000230000-0x0000000000240000-memory.dmp

          Filesize

          64KB

        • memory/2236-311-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-228-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-110-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-429-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-304-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-164-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-98-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-220-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2236-108-0x0000000003730000-0x0000000003D2F000-memory.dmp

          Filesize

          6.0MB

        • memory/2360-229-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2360-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2400-386-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2732-312-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2732-277-0x0000000003700000-0x0000000003CFF000-memory.dmp

          Filesize

          6.0MB

        • memory/2732-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2732-279-0x0000000003700000-0x0000000003CFF000-memory.dmp

          Filesize

          6.0MB

        • memory/2796-426-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2824-215-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2824-216-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2824-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2912-413-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2912-411-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB