Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:43

General

  • Target

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe

  • Size

    384KB

  • MD5

    b4f8597636f01b29ead992b7beda4b56

  • SHA1

    baf39a69fe0e0fb907251caad32678e1d406f500

  • SHA256

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

  • SHA512

    05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390

  • SSDEEP

    6144:V/OZpls/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZk:V/Ms/MP/Mx/M7/Mx/M4/MpBE/z

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
    "C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:576
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2648
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2616
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1576
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1752
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2672
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2916
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2216
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2516
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3040
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1968
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2476
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1344
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2368
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1228
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2768
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2968
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3004
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1032
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2832
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2172
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2972
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2956
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1968
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:756
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2088
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1496
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2980
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2700
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2904
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

    Filesize

    384KB

    MD5

    196e7a85854760e012407f6ef6e7eb12

    SHA1

    d4a500a3fe26a11133841e4138f179111f219bf0

    SHA256

    8c28a9bac4706f61107a1817fd099f091970a6d654073b50ce2cf4d1a9b79d71

    SHA512

    88fc4f6159b3dd88311f72e813b9c0df86368231711d0e71eb32814b8943d9690a423703de6bf6c55889b7ba8cee63a2ae5c243f05dbbc1afb685b3b28d3240b

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b10aefaf178baa5fbb3449aba471ab4f

    SHA1

    230d9fe6373dace7445569a5535657c6facac4d4

    SHA256

    74ef58151e574ff11fa654c78a21aa48fb4d7380fb35d03502b86c6df582f7d8

    SHA512

    db3532aee9a6714658387ad25346e81a5a6f3d7946ef21a731e12526b59373a290a2381e188b9714ce7e041305911c9b2f8e1221038ab76b84e73a187a9fad9d

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    384KB

    MD5

    82e7b29ce24a08fd104522c3ee15b503

    SHA1

    da26f8347900b6922bc077d02d8e0fd6781a2885

    SHA256

    0a4ec4c326e0a3f41175d132c9c93a7071624442e2fac91f391a16f6fc044595

    SHA512

    41c908ee2b9a7a326efd54a6dc703ca328bf070bec5c14be9cf230e04e5abbc5de4f902f875444c67e1cafb6254066f8d8c7999ef5a67408f774cc263305b8ff

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    384KB

    MD5

    2d982bf6fa76e3b6994c23e1162d7fc1

    SHA1

    df56a54a17cf74b86b45df2acbe91feebba3e86a

    SHA256

    1ff87af1fd6b386db1597154abc34066d8371ea3423d38a31ed5b77fc3920d3d

    SHA512

    bf2c7659f351d213c2a9d67553a294f7e63bf4b8d35c526d3c0e206a3bbd5e2f92a650b0415904e37ddd120d340fe8b102ef68ecd7cd0f31b4c1d8aea312050c

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    a5d6820efdaa598fd9f4571febe48392

    SHA1

    59112d000bab37eaba512422b132635d7d2a48ad

    SHA256

    ef37ac4c59e7c640abd1c043a698abfba3ecf09008536ec90065224d39c90ddd

    SHA512

    9605a98a0cbab6affc0befa94bbb83acd4c20250c97b437295ba35d46f358da18c1c98fcdd7dc7c4405b6bf973ad6695ea33d15992e847e83762ec5fcb461296

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b32f0a88d69bb1847a6ae115b484844b

    SHA1

    3bf1f54228802a95160843119d97d132171cd152

    SHA256

    58789ea6af34c79408817a694aeba65e560eddce0a36407c715ec2cdec1a9a0d

    SHA512

    223a2595b29abe87b4254d9dce9993cfb4acd6a5101568e9ab29b184b8799bc561e42ea4e32e7d59ed8d7513839be07e67494bb1cc3b13e80285cc34172dcd83

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    ba8d5bd7d2c7c43115f754e9f495dd69

    SHA1

    b315a0543fb585fb99998d7f607e1645dcdf8b26

    SHA256

    dfef9c1315ade0218164cfda92b64fc2980568ba753aa17ae0e34ed43f635a66

    SHA512

    43340730f8b56bf6ddcc5b3c07cc1cf596ef70c6087191ff39b737b99c3810e536ff2b6baab8ad466b840d2a3825b336dfa1e527099e3e750f1ecc018dbf65ce

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    384KB

    MD5

    56b8f1d39e1a5208abde3fb3cf1843ae

    SHA1

    6b02d9cafdb32adfd4aebdbe8af510da55d4ce3e

    SHA256

    e3944172f375ddce1d4aa9538ea6a0beeec57621ae479a1a2f544b47847708a8

    SHA512

    b2ea42649dfe711479f9a2e67c9677c51c05908078f76258f86e9be4efedeff18f87889cd5096c71f67f466103cdcd7c31ea8cf54721d1398b7451b9ee857b0f

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    929d2655084f6769dc7a0e0a08d3f0b6

    SHA1

    a828b09f6787491aab163d46c482062d1d19fe72

    SHA256

    c01844f62020302d70e4504e5f4e94cc5b617b1b2bcc49e81c7363fc072a08a2

    SHA512

    61737b54d734f28af2440e46650a9827df71f6c6f878ca86f44b51b795390860d93c1db73cac9435a34b490c0a67ce0805d0682153228acaf6738d3ed5df0732

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    cf4b9d8955d7d36703b079ce311684e8

    SHA1

    bea00acab13f50972ad1345283d89463447a87f7

    SHA256

    42070b3d2fcd4589ff1dfb017c1284297a2dfde6bfda8a9555cf54841a9c3fd7

    SHA512

    f861fa1dfa665acd640766d2cece3b0cc3fa4a6b524020ebf111993c28171984a8d882e8f01fdc16fcd475681fa7041848b99afec46758a2a5fb9e172e3c6edd

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    24705a25f88b59f73ddda683cbe7e66b

    SHA1

    eb525aede618e37e605bf7c9e7cb20c9174a85a5

    SHA256

    dbd6aee70c604fa3f057ec806c4415b5b7a4930bf0f5e017b755aa7b713a0329

    SHA512

    2ff3002d601d03e8768c8b33154b015d3f582f7d04857c1b64f16a1a682ebbdfb12585013ab72162af6411f7b25f44f9786249b60862154181e0284dd715884d

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    39f7e73e81276d617d0ac8e2cd85b2f1

    SHA1

    e9976098ecb8416833b84668d92dfb2cb2d52b00

    SHA256

    113b738938962542511c5bd12113c78c967efd9b2349e8e5f71b7b646e625325

    SHA512

    dd5e1424b5ce3cbc9b0dce56b96e788ed01a91854586b844dcc3daff20082931244bf9012644eebe76e740f6b4d36d96fbf1ac3a42bdfc2262bc48050bef7855

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    9f985d7e37d6889f286547e9a11bf9f8

    SHA1

    4a216ba74584b2c3ea2e66537635e5dc96c3b7d0

    SHA256

    bf1fc1540d1fb2c75175ef22abd73bf8a16932130f6cbf46147faac2020ed625

    SHA512

    5d35febaab8f136b9458ffe0e6a69cfa6fca6f6b6b1c3caf9cb2043231a71b388068ded8ecca69fb42c012f88c13893e2dff37911748ec4ae85580b5e262a5a6

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    f015d26c241680f668134d6350e01ea0

    SHA1

    8d71f842796b55ec5084901ac6dc66577ebe156c

    SHA256

    cef324c658e379a844155fde5f153db20fb33292a26e7b6a84a60750b357754f

    SHA512

    9af6736b3110174d0393059942d5c84780197a02c978c0ddbb518b88f75138023d21bd21ad580efd8a394bc636687ffef415ed0c07f47cf9679db45dd1d98a10

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    b4f8597636f01b29ead992b7beda4b56

    SHA1

    baf39a69fe0e0fb907251caad32678e1d406f500

    SHA256

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

    SHA512

    05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    d3efc28a1eed67a98da0f1fe683d5885

    SHA1

    020a80d6ba591cfc612165bd2356269ada9dea87

    SHA256

    d640e2c4362855ae2030e8374fabb83c26a88b3bf93e193eff4315231edd3a01

    SHA512

    bef10a86e48414d6b5144f6939e7589404d4236f7c1971b367e62e4c2b34e306ed4d100111c2c86c16daffc9ad2665cf3f81f648ccc92ae619742185c221e457

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    f22ae70cac4604b995fb30320933235d

    SHA1

    48a50b4ee5b77c320ec73eb4eddad6ec7b858f89

    SHA256

    dc53b11b300b02749f2c0823086336722631da906d20b7f3f7eca224fe82d44d

    SHA512

    7e92e92f94c97e76264512ff58396528ad59f402f0c1ab6517b640074f2f1bb30b5dff2c85b6d6449ff893aa9b1063dbef3b958cf318f5b684c2c627fd8db22a

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    f597168456d10139d4eb5c42f9d7c98e

    SHA1

    99d4075d1f3b5b27519bc55d3e5738d8d39e40be

    SHA256

    ab18c999ee475bb516c5faba6363f05558c403dd47ef661611036614e7fed180

    SHA512

    0246eaebcd7682a14b8aff608a99a95d17756ba16cb5461081f68eec059ecfd1a9b5aff0ec5b9150912907e6d0cb1889cba6ab2e9cf07cd4475d79e2a2149568

  • C:\Windows\tiwi.exe

    Filesize

    384KB

    MD5

    5e99921635a308ee76bac745c1d44f21

    SHA1

    80ba23cce41b868e0f9e232a00d7de31d3b526c8

    SHA256

    6944172baa1bed38e91e3bfe33c2155a4ee42b8c9628de5e291de10cb3037a2d

    SHA512

    08ac086508ee7118d955b76532d56a9016084a56675d74da775d8de5a0c152c8b63c6dd8e8b21d12c5a6dca4efca98a88ff27b5f3c0c6db26f91b9349eda6505

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    0e117ee14aeb081f0e2ef7020fc66718

    SHA1

    58ba4888f8a08f11d60266f9afdd34d3c38b1aee

    SHA256

    f972d92b58a5f28d54bbc5d5e39e64143c4ca59bb305173dc0f04e54d4e8c914

    SHA512

    14ecd6c107d6e07a80026f5a28251832c15e77caf1cd2d41242e00082ea1349caaeff3d333871a96851afc82e0bcb7114753fdd7680242189233c9a69f678e27

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    acc05affc33f693b00563e3cb2edf6b0

    SHA1

    335d3c61948a1e3f852ca893b897a324ae045928

    SHA256

    769309fbdc2ddab46890239c5b9a06565728a91692f7f171e35946f2d4ba5820

    SHA512

    afc8caeb87a91cb0efc08d5497070bfc1bf0332cd119f03d1158def8d470eee29b7b4b78f1a12b9ad8218670a3ae4d3bb756330365a140b744dcedfa89db6a6b

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    9cafd1a626fbf22fec02ca304efd0a26

    SHA1

    03c0db24f6441c2428f9501ccc202ab872d45ca2

    SHA256

    ef55808e584c2bbf3f9802c6dd24a3d50534c120e9559954c5268315e5cccf27

    SHA512

    db402b0e9941d0f177f689a8a13aeef57754455a400da0cb2f46e8f0657d9039646ce16bbfd41a67d6e2b1327e764a58b165d34118d6d2ea169d42f5052eee36

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    384KB

    MD5

    b590c11a814407928f7be83677eeae17

    SHA1

    1feb93614af11964a4c6cbf58f81fd0104d0b028

    SHA256

    e0140f0803298bdf4cf240596a2430ac5c5621de606bb0d7a76d1c2e8f0a9fbc

    SHA512

    b3e64ae4ba14af12856fdb3df117c3188ebf0a29ea644daf984d4483f4dbb0be6278f54a6a3802d721fe9f6482666f3dbb21495c102d2cfbc506ebb5b66e3a01

  • memory/576-248-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-177-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-438-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-373-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-111-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-176-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-242-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/576-164-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-243-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-109-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-447-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/576-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/576-98-0x0000000003720000-0x0000000003D1F000-memory.dmp

    Filesize

    6.0MB

  • memory/576-246-0x0000000003820000-0x0000000003E1F000-memory.dmp

    Filesize

    6.0MB

  • memory/1344-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1344-454-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1968-180-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1968-179-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1968-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2088-427-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2216-293-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2368-345-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2476-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2476-178-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2516-343-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2516-344-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2616-232-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2616-233-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2616-226-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2648-244-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2648-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2832-420-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2916-374-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2916-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-436-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB