Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 20:35

General

  • Target

    24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe

  • Size

    56KB

  • MD5

    3ee1f6b1a8628fe8f538fc06c04cbee0

  • SHA1

    3e2717e8d5bea31fe660157fa421ca780556634e

  • SHA256

    24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399

  • SHA512

    36c9aae41989926ad94460d6ea8d5b98107693c1a1fa5aab3f750f29297152e07acc8f195ce8e46ef7b3e003dedacec9384d984d3ba373ee0144c6a64bc82a8d

  • SSDEEP

    768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5HOwekf:V8w2VS9Eovn8KRgWmhZpX1Qmw

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe
    "C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1968
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2684
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1720
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:924
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:600
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2784
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2612
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2732
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2512
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2936
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1344
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2468
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:892
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2472
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:268
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1256
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2540
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2940
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:748
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:344
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2908
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1572
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2028
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2104
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2312
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1748
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2956
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1244
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2368
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          47a6e30682b6c4c97ecf7fc157e78130

          SHA1

          535e99739a1efc4a6411c912c0a1dd1ab2119290

          SHA256

          32974eff2fab0d8747156597086f5f4a71fee7c56313293bcbee51e190fb5a1d

          SHA512

          6b91d13b84cfc41c51bc14575c6d3884562f6cc7ce966739a71b00f6807ae5a7f18d0e7a6bc085fdb60e11935b38d5deaf22bc17558b1039967fa43570362158

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          8d0d214c7f9f82b436314f05d5d74a0e

          SHA1

          3ad6eed829699d24838c391fac3b8d1a29c48291

          SHA256

          aac648f4ae3c6c77a7ca318a12293a785772559303e9e81931682432d03e82dc

          SHA512

          4aef3890837639975a42325b31a97c9495c48bc86f740e1a043eada7fdb0f5ff6650b1ca79666b8c9b833c3d4ce9bed4e3776d60aba1cfe242780f543222475b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

          Filesize

          56KB

          MD5

          3f5d7af22880da6bc20197f2e36bef89

          SHA1

          837fbce9a6b294975266af13abfbeefca2f70d0e

          SHA256

          99461ad0b932f436e2847bdc772739642f5eafe118f729aa2b29642cbbcf1807

          SHA512

          d01a7af9ab1675cdadff50cf4d25889ffc3770b6d435913774fd9c7d5e5d2ffcc5a88b7488b7ce72141d7c1490958ed5f5631a9d3712c32daa11011b1d2f779e

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          bf22bb5b84370120f486e902d0218c57

          SHA1

          4c89fe6a4ea59981aa0916c5cdaccac1f2d0e217

          SHA256

          80e9933314a80e4c888eef19f2c80a5f83aa1eb794e09248ac40d31bbf96ad2f

          SHA512

          63c9b086baf631ffdf0df3c97848bfcfc9c4ab802dc12fa08f67255a44348d6ad3cd05f1b595af2789dfa6a4ae0c8f8af1c46f7a4fd8915ea8eaf0d8bb46591c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

          Filesize

          56KB

          MD5

          be47e7676966f7b4eeb32d38d51fac42

          SHA1

          815eba6384d1c35dd7e2a5397b9de380c8014431

          SHA256

          279ca667c58bd8bca4e4f4d8da394db9c0be9ff27e8c7810c911ae0eb6f8d3d6

          SHA512

          6703cda4fea05458650d573f7d69598907224544d8e1135c94d2bf044bfdd689c786144546446f8e64229009e8b53b4a0459bed80d0bfe5e9df68ba0364f5848

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          1ef9a252d801b7b66be8727b4db2819a

          SHA1

          aa5bd3df0d0364cb3d58355d739bf1cc9c16b599

          SHA256

          43675cf8aed98d29fdf363820ebbbf5f78a8178e112c458a0cefe0b232f265e1

          SHA512

          eab3676317449a8bea9d2c5eba45962c03e1258f60e45ee0f82b161b7aa973d8f994dd729bae5b83c0c92661df92a4b9b73f32e6627f308bfafa2e6ffc022e88

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

          Filesize

          45KB

          MD5

          84e15b48d98c834fa038023d959a709d

          SHA1

          6724d299ef8d888e5d09b1c93c2a8bd4567f9423

          SHA256

          360853aa8b9220a5f8b747f5cec99d704f43a60e1c17881d231024ff2c26e2a7

          SHA512

          53fa9213adc4e65fc7c7e9d0f9ea1ce0927c762082ed1fee0b1ac2da019d775d0d97083f97cc026930f95bc1f0bd3ac1319a2e36a69e9d1ce0df694c1168620b

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

          Filesize

          56KB

          MD5

          86c841cbf0c822bb28a20bbced06481e

          SHA1

          128874f1ce8f358681188ef1f721565863ab929a

          SHA256

          6060c76bbf5f827f4350573f9872d65329d55d4f0c392153ed2ec8ad9d2c697a

          SHA512

          0eee379b828a151c87a4b5b5f31b502936ca77469960a3d0e044c874ffe0ec77c892396f720f6e22f1d2c9a418bff4b6e329b034f6b9686991267076ee9d6580

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          7404effc4c4f968b8309910be0ab6575

          SHA1

          e18615b816b584a6119d867d6c24478577a3a0c3

          SHA256

          c5276a2c5191da1591382e7e3ce41e36a8317dcca3224add001efbefd4cdb8b4

          SHA512

          44ed958f72c6f7a87d13af4afc2c560494d2102bb0e01d03c059f808019e6e7244a2b2d9a8078c84d25291506f6feb68a5870c9cc6c3862dd277ed13cf5552b9

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          56KB

          MD5

          0957913e1957760233f791fa0442e2ed

          SHA1

          fca5eb591513834958e3333e82483a05817d76d9

          SHA256

          d6d7b73dc1934a7a37085638f918fe9bbb2c2ffc862e18c5605c003b4b231b89

          SHA512

          936923ebd78dc9f82c14b3b66ce9f4421bf24340dc7c60a9e2701614efb8034bf1af77b499cb7736218033d87b354b906a30b2b790001dec1bc8acdfd8ade63d

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          8d8a10ae69830601c462a42d9f5bc0bc

          SHA1

          ed4e015a440c36566832fd6f90bb49661beafd47

          SHA256

          c05474fa958c7ad0aaac917f789555ec1ee15b3e2c3056fc6924fc1d6bbe56f4

          SHA512

          916536ea8593e30e26fead4f729bd28c76bb9d0f6bf889e527187901acffd86a49dead878a7c4eeaf1d85dd18620eb33808613bad587604b3cf2ac8d52034db0

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          f784ab4e335270fa8d784765535ace9f

          SHA1

          fbbb01e51fd16fed88834bc4f5ff9cc86bbcbe7e

          SHA256

          be47067acb04e1a62bc2f0b35db0337bffc0df82c583a72474fa071bef398a8e

          SHA512

          d34981638c997c00e359a97f5d0021bf4773fe1c9f2f966595c850a4a35b722d01407343b9efeaf00ce8e7af26a7be6c12746a6aadee4d5d8813784c105620d4

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          e5d463744f6f0569f25a28bcca9d09e8

          SHA1

          7048625e3add64528e856002d4bc13c274428448

          SHA256

          8a1c77e974b3317ec4982303459bb5d58918b172590e1a5cb457ccfb2c449b87

          SHA512

          cb8f5e4c13fb27f68508f7452af907d71a206bd8cf6423779ffda37e011f0546ae89c620d94330e965fa1fea5f2678cf92263b9ef7b2356db22aadb825cc6d57

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          56KB

          MD5

          3ee1f6b1a8628fe8f538fc06c04cbee0

          SHA1

          3e2717e8d5bea31fe660157fa421ca780556634e

          SHA256

          24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399

          SHA512

          36c9aae41989926ad94460d6ea8d5b98107693c1a1fa5aab3f750f29297152e07acc8f195ce8e46ef7b3e003dedacec9384d984d3ba373ee0144c6a64bc82a8d

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          0c24974cd23653eb794821d4c9ff13a9

          SHA1

          c10b946e164f372c983d6988cba48a6619b17a31

          SHA256

          a7331ecbac4745dd644563d59f455d5886a7abea0c151de3571d772ef93492a2

          SHA512

          f3d5b5286cee47ace2c699e05ef82322d0cca44f3dc20ba6a01757abed91c19b6cf4bf6e5c2ac584c5a7b2874463cef1f73710c936029c45f54a3cc7afb72092

        • C:\Windows\SysWOW64\tiwi.scr

          Filesize

          56KB

          MD5

          684ccd569cbeb3edbbcd5b9387a49784

          SHA1

          c179d4dec830ac420b7a2f3fe7a4b176c19965a2

          SHA256

          5edb91bfa9e5e179c3c17b74483a9e8ee1d62e0393c4205f68bb906c64c23814

          SHA512

          3a1f066ce87cc48de62b132ee366429c89f0c85ca44fe2e2b1cda81a42ca3249c3f3dcb6a777eb56aa04dbc28adb9dd8461d164babb5d980954d0ce95dcbf2d9

        • C:\Windows\tiwi.exe

          Filesize

          56KB

          MD5

          0cd678498db8e957e9f897fa92e4b021

          SHA1

          4184dd32528355a60db201bd01d5ea9949810559

          SHA256

          0430869601de1f0e28bc986afd65d7d2c2f315f547ebaa9150f24f325ba9e295

          SHA512

          faeb387b4ceebe196d1dd595078a9d8782325e4436ec2ee5f5417ab933f371d99c9f3f2bab1d4d1e860b5cdee7b7d98299f0a4a6045dbc5a3035a482f3ddb6a5

        • C:\present.txt

          Filesize

          729B

          MD5

          8e3c734e8dd87d639fb51500d42694b5

          SHA1

          f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

          SHA256

          574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

          SHA512

          06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          80373df14d9072a0ca09ff907f941e31

          SHA1

          e99faeabd9bb6f377ab17db1baadca28d2736bb6

          SHA256

          90ad36b1e965acf545e9e11f7398f933fe8ddd6d7d157e15abb5d6c597b0182f

          SHA512

          c467b4e118670dff6dd66109cc7e97ed92a3062cc15f4ac0f2a8ed779700aa32e07d474cd77d91c6bc554a7d77a51b84dae84f66f6330fcfa8ac69c4cdff94dd

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          4abfaa583d78b026aeb7a35c9766d831

          SHA1

          9a374caca81844925f6b937028923070b4cc1c96

          SHA256

          2a685dd251d29b0c896ed9090668894fed6f6ade51ab11857f28631ca9188d58

          SHA512

          035142830c3478a372bba9cdf83be48e9aa1fcd51b6616e50dad17185326b61b2ebe8b908a468caf82cf5c06aa3f170058bb92f4411e7f76d37e3322b5444cab

        • C:\tiwi.exe

          Filesize

          56KB

          MD5

          5bb080432b02e222c99bfecbf15decb6

          SHA1

          ebf421341c7d556b06520c2ca748279350ff054d

          SHA256

          2f072484c25296d55895c31a773b76de27f3a8993faf2f25fba518625070e68e

          SHA512

          28ac844796c39cb3dea90b9d852689e31f1fa985c1ff1abba7848e63464d25a55216cea52f26cf38d9a6a7ee88c493acb45877142ec6cb15239c7fc061015bc1

        • F:\autorun.inf

          Filesize

          39B

          MD5

          415c421ba7ae46e77bdee3a681ecc156

          SHA1

          b0db5782b7688716d6fc83f7e650ffe1143201b7

          SHA256

          e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

          SHA512

          dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          56KB

          MD5

          34960b20630bc26c4ae607d155a42cbc

          SHA1

          36408e093fa54a8c57809e2d66966d4b5e1eb023

          SHA256

          83584bf1374fcc39783faa97ee6f5f37fa0d1734785b358915ffa7975b6be1c8

          SHA512

          adf9c0b35e472da5d83f11e7cfe4c66a3dcb5d7f7ab85ea6c1233c0e27bb05707989c2d43a979cf7399f3e6254f8cd26624342a9966434f6aca3ffac47363681

        • memory/748-240-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/748-232-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/892-291-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/892-286-0x00000000002E0000-0x00000000002F0000-memory.dmp

          Filesize

          64KB

        • memory/1572-432-0x0000000000260000-0x0000000000270000-memory.dmp

          Filesize

          64KB

        • memory/1720-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1720-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1720-215-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1748-427-0x0000000000230000-0x0000000000240000-memory.dmp

          Filesize

          64KB

        • memory/1748-428-0x0000000000230000-0x0000000000240000-memory.dmp

          Filesize

          64KB

        • memory/1748-429-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/1968-110-0x0000000003850000-0x0000000003E4F000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-231-0x0000000003950000-0x0000000003F4F000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-233-0x0000000003850000-0x0000000003E4F000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-444-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-164-0x0000000003950000-0x0000000003F4F000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-109-0x0000000003850000-0x0000000003E4F000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/1968-98-0x0000000003850000-0x0000000003E4F000-memory.dmp

          Filesize

          6.0MB

        • memory/2468-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2468-392-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2524-347-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2684-221-0x00000000038A0000-0x0000000003E9F000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-234-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-220-0x00000000038A0000-0x0000000003E9F000-memory.dmp

          Filesize

          6.0MB

        • memory/2684-453-0x00000000038A0000-0x0000000003E9F000-memory.dmp

          Filesize

          6.0MB

        • memory/2784-400-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2940-230-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/2940-229-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

        • memory/2940-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3016-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB

        • memory/3016-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

          Filesize

          6.0MB