Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 20:50

General

  • Target

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe

  • Size

    384KB

  • MD5

    b4f8597636f01b29ead992b7beda4b56

  • SHA1

    baf39a69fe0e0fb907251caad32678e1d406f500

  • SHA256

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

  • SHA512

    05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390

  • SSDEEP

    6144:V/OZpls/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZk:V/Ms/MP/Mx/M7/Mx/M4/MpBE/z

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
    "C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2412
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2376
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1868
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1160
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1164
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1960
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2348
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:308
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:592
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:596
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1984
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2752
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2524
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1644
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2460
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1980
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2452
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2844
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1120
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1104
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1808
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2372
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2852
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1996
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:628
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1100
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2416
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2716
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2680
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2936
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1668
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2980
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2728
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    036df02ce71e9ffe4fced48e8feded42

    SHA1

    56a43cc6d6b96560ef2db5918e61375f68984973

    SHA256

    bde370742e0fbf5e1f1baaad9fe3c595a0acc1ea994a6cb6f5de08eabfbfdf5b

    SHA512

    491534068489b76e1849b432aa44d9b9fd075ca6f7094172d9d9767be11b6edd8779c5bdc14be45353db590616652d9d337b7f927d1b275991924e820085ea51

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    384KB

    MD5

    ddcd6e5988bde2c2c529a7a8d6204af7

    SHA1

    5da828892bc306482c6e32c0fb12438ed9c3df59

    SHA256

    b654981eab9b4f17b1073e43931f46814ad3fbe1784f8e93efdc4d5dd67157d9

    SHA512

    8f648596c0432aeedf4bdc3961c8401f763b2790aaaf5a7d9545c28377f279b684fabf6979455d0f700f0acbbd1d20b10800ed3157a4247f8ebc0dfba2acf8f4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    384KB

    MD5

    7e291d4a2c183b742d55e0a8c03a71ad

    SHA1

    0d37ca0643d2dd88f6fef17556cd9759aaad8007

    SHA256

    ffef798a00f77cb7bf3355ffddb3afb2ce0ee63e396c68ca3836fd535b82d5b6

    SHA512

    19fd6ae402142cfa18c25a5573bc533b2dcc53df1e385114108b0254652257452380aab9d488f7510f4c8b50d74049ae6cf2feb9b735976923ea5b57b65a4653

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    384KB

    MD5

    f8710b53ec3d0d1b1f2d7a39c37bc904

    SHA1

    47b9a88f164a4de7a6e5b2b2984772bfff09d001

    SHA256

    c7bd813c2e1e3e450fdf4e168bb4a50ae3916ee965ed7faa275661eb0b792d8a

    SHA512

    6dfed5e91763b9993e81a454950a86bd4ac1baa1d210322e4d0ea1d6d5703baa3c0781aa7088d83c5be50abb92eae1a89bef979c8f5cb4d32bc5d3caa63cb7c2

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    ab6c22cdc3a107b5fb4a4f97930bd5d3

    SHA1

    e8a3f4b6b62e49bb7b79264eaa6bc71bf122d41b

    SHA256

    b2604eff768f899234d3073245ac5b4ad77875e53f137dd51bd13d471205e6f9

    SHA512

    86fb6eb13c2c8586c0cccca10122261083ca681a4ac59716c009ad9ec038f7b1b786e2d793f8c83a1f0a8cf1677372e2ddf40d13de83c5b2650a921d457edc56

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    3274073e17e214ae8de7af1def72dc2a

    SHA1

    f67d6aaf18bf516a883fb4a6456f58b0a0714aa1

    SHA256

    716ec7a888719ea2c9a23e3fe9fd48fc454f1a5c522f9b1a70770db863ec7716

    SHA512

    840d8dbe6039409b88415a25dd6bc5611bd97bd5ec445bec79e22f77f3946383f1627a9301a12a1f6351ebc6f4e62d9ae94a03495289bba7e173eab2012b01bc

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    30635fde519806a383ca0e0f66ef0ecc

    SHA1

    1a4ff169ad82d34faa5791bc652234e20ecffe5b

    SHA256

    df51b88cbb4b43f14e494f1753433cc659b2a3dc9f0493c11a76daa3b8bdb55d

    SHA512

    828432139195890813132bc148e7473de6ae7dc98624766f60be36af49d8133267f567213d1bcde72a257a4c5661fe0cc639275cf549d0266d42ccecfc4ece34

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    1ab9dbb39a7fde6ff5fae1e5f36aaed9

    SHA1

    7b3698c1d042c93fdf9661e42d6197c41efdc99f

    SHA256

    24876f95a7f4622740b9a20472c099500f2723d052a9d3b1b3b4b546a3072033

    SHA512

    fd4d790612f0ed26acf0522246e27b22ac4920ef661d1aa58c60d1c0a8fe881e74ceb41aeff4edbc11a0d7c47ff9a4b1fc62498e3e4c3abb37584bd55d49aad8

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    384KB

    MD5

    bc74e979de00f145e9cdb50c34602949

    SHA1

    bcc1665c409de42bd9a0aa3e9a306da7276caf32

    SHA256

    7b57e77382b5fe0b662db4b5e1eb9f3a727b141e724dead4d708df7d07eafdd5

    SHA512

    1d43b7e0594d94b9dd6be0d6bcecd9a52c7ca22c8104ef22b51781628a10fbff4b1c1783bf7b243353915bad743e91338b715da0fa1360f695ebd30ecdc52322

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    384KB

    MD5

    d97b3e4f08e7f5a7dbccec911de078d9

    SHA1

    6a4f3918ccd24e78b19d23e0942db13195add795

    SHA256

    d4db22e8cefa6294b6ce3a4e6b6294d055be7d2574f6213235cf35de805f18da

    SHA512

    bdb15b62dcff2c9ed630f4795b90b05525c893cbdb782decc2fa5e3d1def6c972063ed870d923f6bc6122c5a51b3cf1e0151773864450e6d2466acdaf7f75b89

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    fca02995aa554af81d2465930a88d367

    SHA1

    29279403c46bce8b7e9017f8eb7022e54e353ab9

    SHA256

    391dfee9a40caf0eb7e5bffbaf8bbc4b57f70ddf316842a1ebb47ddfd62d56ba

    SHA512

    f54190bb597911ad7fe946e1f6b2e54bcf2f010f869e6a0c03eed0b6fed2edfa8c60e2ff969230c49f178fe6607e538e622c3249084d360f59150796e9c21414

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    17a9c7fbc04960711086398ef99b90a4

    SHA1

    3eb697b1c8b74349bd4a44f0b4bc4ebf04ef7c08

    SHA256

    6262e8a0f6ab20e47a2628946ba23f9f9e94fc9b1cfc3009aaa648f97f7f1a34

    SHA512

    f387a3c91f1c715526804f93c03a3cc298af62dce865ff66496aea0cfef70063850e6bc0c68bb8402b8decf6599d119dd4cfe981a55b5d97c710282d35a4b81b

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    384KB

    MD5

    b4f8597636f01b29ead992b7beda4b56

    SHA1

    baf39a69fe0e0fb907251caad32678e1d406f500

    SHA256

    13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

    SHA512

    05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    74649c1ac48594162d74e54f47ff993b

    SHA1

    b423593c6cbf54ce8a4c0590a11866fc3406171b

    SHA256

    773c0e8835946dcf7b2346d94d4c5ed969284ef9027629b075ce434fc2d3dcef

    SHA512

    c77cfd5b2dfc998674b8e3465331c636ac603a6ba772a51d152b553df20b28b1cf3d733613502d224f64d17d39c9c878f014053de44edbe421793cafa44e542f

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    384KB

    MD5

    f35684e2c5a320f54ae6156e12f4e26e

    SHA1

    1ed28093b87640ed2fc9a617896e0f62b8370d05

    SHA256

    e917b14a79cb10eb0f297b1913af85c961b639a98be952a562dfb16f50baf735

    SHA512

    d770bc819270b83a2496b3847c60c62f0721310027e2acaa08de71cf5f731734ce188746827e0ca319239c09a8c349cd6c08be47d875a2137531dd097a1e2567

  • C:\Windows\tiwi.exe

    Filesize

    384KB

    MD5

    dc819a24eeaa71347bda8f37e433a8f3

    SHA1

    a9384783586547d300f0c5c6d1b4db028c92200b

    SHA256

    f8350a7aec177b07ec28f132611d6a4a08e26bc7db9859d78ff3268d9dba7f3d

    SHA512

    a50e0694fa30e33c13238119d8b613bce78b891596df55161eecffa9ffd0e12cbe5bec978ff59053430864f003c7744c05c16d482b343646642d5e42b749ece4

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    8abe69a7cd58da1b52e2c501b0f7604a

    SHA1

    8b7ddfd6c27a41d61c0135765d2b9845f0244ad1

    SHA256

    c578d77c6b770d9f5115b55cd3472f84853a640712c84cf8f0854fee04dbf72d

    SHA512

    0ad7487a02ede80fc728642a275d665ebbc0abd58a9f0df3c15b1792fe74e7c49ab914033a484dea4aee5d41cf8089a42ff29522080470a989b5d79930ea6b91

  • C:\tiwi.exe

    Filesize

    384KB

    MD5

    dde9b157723f8d774ba91ef79121742a

    SHA1

    9264f7e9100dc43916cd2293b7d71671d4eafe98

    SHA256

    105959c54be09f8fe3320b803159493c7b3bfba6f9464156ad1d99ce02f2dc18

    SHA512

    34f6baab3dfa7f9ad87dd9a26d3dc8ff20f80904462fa26924f8754754d5325d8b823d5b3c02e432de2697dec3d4824d827816b07da4f6acb3627f34c0f03b86

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    384KB

    MD5

    d4079f1555aaa164de7e7babbd94f756

    SHA1

    444811dbd5b6b30c003a5904cd58e5bab251128c

    SHA256

    cd635c9ea3a92a01121e43ee524bf33ae8140abed8c200d3514557fafb4fca8c

    SHA512

    f5de33fcf3faa21f0d34f4ca1c8e8ca7aae14b91b11ed5b88198d03e6ff4cd3f0d12c2b5538d01c36f9c87f83085287b6d009bbbcf5bf9d61e1ef0ddd36d9777

  • memory/1104-334-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1120-460-0x0000000003700000-0x0000000003CFF000-memory.dmp

    Filesize

    6.0MB

  • memory/1120-392-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1120-303-0x0000000003700000-0x0000000003CFF000-memory.dmp

    Filesize

    6.0MB

  • memory/1120-123-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1644-321-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1644-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1644-322-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1868-314-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1868-315-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1868-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1980-353-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1980-354-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1996-175-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1996-317-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1996-316-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2348-439-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2376-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2376-331-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-98-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-109-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-174-0x0000000003930000-0x0000000003F2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-126-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-127-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-300-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-301-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-122-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2412-416-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2524-261-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2524-121-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2524-459-0x00000000037A0000-0x0000000003D9F000-memory.dmp

    Filesize

    6.0MB

  • memory/2524-352-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2680-442-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2728-413-0x0000000000260000-0x0000000000270000-memory.dmp

    Filesize

    64KB