Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 20:43

General

  • Target

    65fdbb4874824edbae3b8ddd9758f7f6.exe

  • Size

    274KB

  • MD5

    65fdbb4874824edbae3b8ddd9758f7f6

  • SHA1

    13fc501a38199ad1e58e301eccc72f08a490068b

  • SHA256

    67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

  • SHA512

    60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4

  • SSDEEP

    6144:2WC4YgB9Giy6WC4YgB9GiybWC4YgB9Giy6WC4YgB9GiyOWC4YgB9Giy6WC4YgB9d:FtJ9GiwtJ9GiztJ9GiwtJ9Gi8tJ9GiwL

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe
    "C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2712
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2200
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2960
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3228
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5992
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4172
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1784
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:6012
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1824
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3332
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5380
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3252
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3088
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4516
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3076
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1716
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5680
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5556
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5348
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2988
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5208
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3740
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4140
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4116
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5148
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5740
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Tiwi.exe

    Filesize

    274KB

    MD5

    b72805c0ee4dda7a3de4ff381ff12e6b

    SHA1

    1bd9239d6d85e4f81f0815d2627636639985c3bc

    SHA256

    633167145a2b779380d997a99168b0e504dc5ff967ce1c10f779e41d2b5fe52d

    SHA512

    deb099e6d917c7bca536870aacbbcbe91f22bdddd57856bb5aa5494e8375585b9b524f28e31de2c8bf86549c433dfe0f83067715a63a53afb3c5473afbefc743

  • C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

    Filesize

    274KB

    MD5

    78bde41146ffdac20a7d875922d62e83

    SHA1

    c93147bb3ee3f1e4dbe376e6039cbb80ad9f9841

    SHA256

    09cf2990400eaf43202998fcca0ec927eb9ed71f096f8533b97514ff48451f81

    SHA512

    dd02d4f4260a9180d2b9a3d2abbc3dfef50046b36283620df0828c7641fc163211f22e380530c9196a34eb6bab6a96263661116992ee9b4eecda1c18c8e82a92

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

    Filesize

    156KB

    MD5

    ddc83e1ec8b779ed4ac589c5b9cf0ed1

    SHA1

    69826765cabe46aa4f3864b56c8d3aa34824e08b

    SHA256

    d4fbb5a296cdbb3090eafa273d101b77b6c20ca3d656d86f0d8499fd62d77809

    SHA512

    be8c6ced7ebf9fe9980cf2c3a1d6f99e3feafce611ecb70772aae2f18b4419fb382b48dfb9520bfe6eca330ec13dacace61d2b36e556b011c0ab8f5817fcdc3d

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    21f0f46228aee919c8b87e3daddfa001

    SHA1

    d9327c8e80404882527f6f32a51e754d049e4746

    SHA256

    9a4ca68517cafc532c93d53df753fc458f72e343943b1088d124c8fd45e3c5bd

    SHA512

    d7502a6023c97aae412fe4a007c182bdd47bf634c2a7e69a043d00c8c819640b514cd27ee66d75e86581dfe855211caa1bc58d8b8dc73fcd0435931ba782556a

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    274KB

    MD5

    c3e3bc10b61938fe71bc42b07ae885a3

    SHA1

    a487faf7751f244108b967393a483b0a7aec0824

    SHA256

    ee08725423c07c7a51a93571da52eaa017af6eb84265ee2f9434b4e6ee5744cd

    SHA512

    503961c20d9fd9bf9567de7b1984c9f1a304278c32fcb3cca82beaee2cd4c1fffdcd308693f2954162162409198955ba303779097677827c78c4255c0ab59852

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    159KB

    MD5

    02a7a0ca1a522520866121651c934800

    SHA1

    f9e6de7a302de96935d927d463ca8c6d594cfeeb

    SHA256

    a27c47b4943bbaa035f2c528e9d57af743807aea8a83ab2448210b60ab7542da

    SHA512

    4815e329ae516db03a71eb81d9fddad2c51bf974226af5939067ce5b51a413bf91c9658dbf3b34045e896dcebc82792a7394fc8ad70da4ed7ab130e12a56f389

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    60KB

    MD5

    4da65c306a10b1387b039c9b8937a7c1

    SHA1

    2b525a13a9478476f3985c3f1fde30315d340437

    SHA256

    f0a37f7813c4747569eace4e03015c2497225c384ba2d636b347955d7012f99a

    SHA512

    cc2c29712f25f81c5d62395abc371243bc58014f88f3456992bcfcd27dc68117831190f9818849c884c97269a3c2e1781ec15c4aa5dcce504cf7ead7452f7092

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    241KB

    MD5

    5ba77afa9b08468090a672dd7da7617a

    SHA1

    729a8f707811a2610d5f5b01ddca26746fbdb311

    SHA256

    a51bfbd02292e40e19cbc39e5bc066d281ceeebebb427d955491df94e09ca534

    SHA512

    069b61bb01b9c6e9657b3c9eb1a2da413002a48e1da4b931acbb4c6bc87d0b7a43e3c8d73a2758b35fa37aaab99b70de1c952613835719ba0610796bf9a4a8fb

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    274KB

    MD5

    089a728c8da4f6527db0fad18f8555a0

    SHA1

    0d3310ff83de9ea7eed3832c931bf414fb4dacbd

    SHA256

    1163e776df2c32a4cbc775e6b5d6d0f03ec417ef7361d54da41f7f1dfbdfea96

    SHA512

    30277b1a82017f3c5b8a1d0dad95fbca5f36227b17c5d449e51cfdc250a74c2988f63a5ccb5ec4871493f0dab6ab1dbb27e051029d081b6339cbfb3b32b6e77a

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    8aa8406c5159718483ab3ff325631a36

    SHA1

    856c471c4d150f69721d8727f016ccf35a509e7a

    SHA256

    8ea020ea5e6dad17755786c593311c6c8f1abc565e05fa9801dc040f711133ef

    SHA512

    56c4e3cd586b2d6d174c95b48c8dd077e6eaa21aed8d4d3846a9cacc0c3892532957dc874156e41c80224fe220b390423a0868563106b1c759f5254c0d17c7c1

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    af7e7a0c9896befc6a763b2b455e128d

    SHA1

    23f4f2eb81115dfa8f0069116d1c1b1e34793752

    SHA256

    43ac92174c123c9cacbe022e14eb3ba82234fcc7a565d17ba789d184d1b15c02

    SHA512

    bd67fd63d667eead122d97beed10732b5ec537014abe01cbfafa87693e90b539447b3edfbc72b6794f517daa71d9f0a55d847ffd343d9b44e0ec6b432ac8d604

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    274KB

    MD5

    a57c9b343d7f8c218e8df3fd9446d488

    SHA1

    4c56e6091b88334685f76faee53ad1433439e113

    SHA256

    5640a3c64559dcdf35cf51e1c106ac0d8f7ce203b93ab649d41cb74175ff1053

    SHA512

    a086e5690bc30d82f89d19ae0997ddd49cdea53cca408e5645f6857ae8908143f3055ad12d44dbff3acf89f74af7f427f80a6dfa5bb6dc442a33a29b2912bd53

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    274KB

    MD5

    07b01a7e9ce8ccf30c38100c421cb4f4

    SHA1

    d2f33e2788bed4730c569df72add203137a2348d

    SHA256

    1f00e0f529f14df448625e3daa56c6a05bea2dadb3eb6867fe7fc8e6cac485cb

    SHA512

    f0a6c2aa2c22cb79e68a671081abf01b840adb9934c12de133eb0d27b142466948fad135dfc4c39ec52affb9797ea2ce5565a377067f41104cb980ef312b0e90

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    99KB

    MD5

    a2defb4cf245bf055b7f6b04d100d54f

    SHA1

    e05a98332e4920247ffa95344176f30ab238fc9b

    SHA256

    22e01b69042263b5312208211fefe02c299fa08db46bdb9f3948421fff1e3813

    SHA512

    49504ac329d1e22fc56bb6c4d8df3fc69aa462e1768f57ddbdcb4477df02f0ce5ae9d6f7543eeeb045cafd1f60f56995707d1d1b35d384f815de9dfc13dbd159

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    1KB

    MD5

    9c2c57b293b6a2064a73ef2ad9c79d2a

    SHA1

    7b0cc6584ec9c1cb5b0e9065a30afc9b5a9183b2

    SHA256

    60703aca0a843a2c305c490ad7295a6e1476ca9bed8367ce2ebc4cc961cdde75

    SHA512

    820f7ba614ea3112f1be28ffff8a52735fdb052fa2b3668edb92dfa51bf742c7184983d17ca5329e16d2801027e51dd1efffe141543926c591e0e724183520f5

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    63KB

    MD5

    486b9388251f4ac119735cd55256c22a

    SHA1

    b724aa8f30fa44097b5097e91770943a4e1b5905

    SHA256

    ab206f6309b38c3a717d101c331f1f3d922c65f2363e223f852dc1d23bcde63c

    SHA512

    5421d725f9745dff23da9ac5092a0e7c9e9789db922e378927a2eb6957345bde2d15d03f9ccaf84c34cb86f28cdcb5c9a319aa03ec8f493d9d9ca9f2e1ca5590

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    41KB

    MD5

    e474b3e4b68ca40a7660a3b6bd13a1ec

    SHA1

    e603adf1cf558fcc25460cc516f7c33e286d4fb5

    SHA256

    be8fedd9827b3aa0da36466356687fcc6ee317e70367ac3e598e33ae7ea21207

    SHA512

    7584c6adfb812abba2dfeae1087eb974b9981447791f39b172eeee34d4750dc58f2150724013772eadfb015d32c451c7bb77bf746b40fc065a9666b02e27f195

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1016KB

    MD5

    b7d3628c8c67829ffcd4990f08c7a2e5

    SHA1

    3336f9ca527d601b4738a3f21c12ea2de166daae

    SHA256

    4683746ebb5c75e4595904ea6ea0b4c42207274b89e09755a69de8ddd1a77e3f

    SHA512

    2a5b192ce426078091943cd20b1a64b3868869a692b693e8e4a94c1a5c87090cd91a2e41217b116b69e5ee52da26b3713585fa48b8b2777aa5275516f49e90b6

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    82KB

    MD5

    c041ab7aa542729904c745bee329c700

    SHA1

    fa408b66ae1d4d0331641b501d858e907e8135b2

    SHA256

    43cf50aa55fcba3637939b3420bd491c84bc996b3d0b456d13d71763abb10664

    SHA512

    0cce4d5aaf84176b64039c25576d6b16bc3a316e9641f33b2452d1dc503676a938152a853f0b805938ca5fec5214d7bad4c96685f0dd924c676371cc2bc6f949

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    52KB

    MD5

    4b188c935a831bdda4e8f171955cb3e5

    SHA1

    9885935debb7d52ce06ee6c1da848f502db54479

    SHA256

    5fbf926cf4f9a2bda06f09c201592d96fac840688a8ae2c5174abbca41da7514

    SHA512

    f2558bc88db5322bbea73ae6dc4a5562d1f3b9d1e2f418a64d195c7c7d3a57fc70ac738b795d0f0193eefa60368957cd2f8d107f59166809cf5ea84f7b4c2ce1

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    17KB

    MD5

    9bfe73377416f860ad3ede60023dbd64

    SHA1

    cdd1ff6964236c9d7d8bd5fefc720c2bd5e2e7eb

    SHA256

    5d9330cb21bef986756899d85c9ed37f7de6c99ac40932b13c2b619a26bd09b4

    SHA512

    49bc4deac9d09d192ed0e8b5d6e1dd78c83e7e4154ae8acf8fdc2857ae6fef73296626a6a31446fc19b0d3344b94e9ca5fa15d78c6753670b68b3af28e21f3f3

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    274KB

    MD5

    90b7d57078396082669edf9f4a61091d

    SHA1

    73c4a3eb544c80f5bfceb4a449945a27d77aad13

    SHA256

    d6181aa809de1f45ffa0afc5ecc48e8a4586c5980da8683fb2789fcc7eea87d1

    SHA512

    4f4fb227a8fc2641d4d4053fa764bd36937deb267e9c116637e6972315558eadeb19b20a4c45dc7e5b474cbc5f313aa927b13a3212f2f5f169e15b9caede8094

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    274KB

    MD5

    65fdbb4874824edbae3b8ddd9758f7f6

    SHA1

    13fc501a38199ad1e58e301eccc72f08a490068b

    SHA256

    67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

    SHA512

    60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    274KB

    MD5

    abfa388de013051ec30ce58910710426

    SHA1

    d56da1b47f5f4dfa83162bcc131c71c56b5d11f7

    SHA256

    110d9a39771d5868fc74978197a87608f8cb8ec09755cb234839d2e3407db884

    SHA512

    175bd5e192d59aadebdb2086ddc7e26f18254a4c530d7fd2fc51819b8e8a0c08b8f1fdfa4e5a19d1f67ac9f44674d0a2a5e3a8cb6862a3443dfbeac69cf85c54

  • C:\Windows\Tiwi.exe

    Filesize

    83KB

    MD5

    2396421cd5abcfe6fa096a6352777861

    SHA1

    3bcc3ce2fb588fa5a03b760bb423c5020ed0f366

    SHA256

    e598416afcdba77a78cd36401af82bbf37b487784ba07cc545aabcc4af49c17f

    SHA512

    457e811ea942b8b5e906fbc8408c8c65bddc5499578078c6d0c5947c1e65d2e6e59a0d305fef18aaaccf0b5d5982d6eb48330fe58b37b2dbaedd00a847b089bc

  • C:\Windows\msvbvm60.dll

    Filesize

    286KB

    MD5

    4f425a1e736c161e5143098502c45a54

    SHA1

    7eb3c6aff7ddc96020f462ba964e9b38249c6041

    SHA256

    d5bba4798c3761b38dc69087b7ea0f5211bf81f01079a2bd77ef7d0085438818

    SHA512

    4e6a150e9f11209988d63544267e3c67a7105ccf0ea5e05b7f5d8f114b9866926c3a973e6325d9d5d781b7aec4159765b7c25cda5ea679e23be8106e1bb262cc

  • C:\Windows\msvbvm60.dll

    Filesize

    62KB

    MD5

    b1011e99d51c04051e8672bc345322a2

    SHA1

    9450ff7d274c243ffc5dd3c35a3e322cc3c975fa

    SHA256

    3c8b1b01a81c5b9574a9703a0a78e19ab63e62c3b21ad37e2627148f8d56fce1

    SHA512

    0e6281afcbb10834267ff098bdb8cd7382ce71a360547509edfd0ced8cc4a302a5ade3e818a1b7786221821e84ba9e7d1030e541388ac1f12d05e8f85b732d65

  • C:\Windows\tiwi.exe

    Filesize

    171KB

    MD5

    34879e0909f6e39386e45985bf77917b

    SHA1

    0424677dfefa4c0c138db18b027e559beea5c847

    SHA256

    7918cc63b87abf546d66b2161043cbb21c8fce2e35a554b2765970245fcf5916

    SHA512

    0bf5c3679dbf3da1cb27c488b34b8363167bb3b35f875e4a60a89f31ce19f22de0ef07ee4f4dafb04d0e2fd54add30d6fb2c2aa21ea3af5a338e9c139a890470

  • C:\Windows\tiwi.exe

    Filesize

    155KB

    MD5

    7d368e5abfadd37c55c5e06fd41f0270

    SHA1

    23bec2d157b0b7c1fc4cf7af60cabed0d964a7b9

    SHA256

    ec006948e6e2848b3679aa7d0ab9b7e9fb44de12e23bb1fbfd7999bbc779e3d2

    SHA512

    11d790a546d1d4fcc3190bfde9a7d2ab7d70bdcc5131f3e7934dedc528acdbe1999161b5718d73d7f39ac361e2ef2e1f1de73e1857a371f031460c7ebdc5e75d

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    64KB

    MD5

    a759b88d309b40b66a5f68fa69fd5707

    SHA1

    1ebad8344bfeac9274f2707555fc563083084da5

    SHA256

    19bed01b32693fa46dfdbe2c50b895568045c30ad6781f12a3c6516cf2a89283

    SHA512

    2fcf344c7dbad8605363dc357e434281c18cfee7b0c7c85a2baee6dc41d506f5662dc7b1733b311be19407ba46aa8d8c4c6cb12e0d07c2f6405f0e4fa513e7ce

  • C:\tiwi.exe

    Filesize

    73KB

    MD5

    7c3c5788588c6f93348f4f84d2e38453

    SHA1

    5736dcf9ef1626396da2264aec74cb78b8ae94ba

    SHA256

    992d3035087b79cc0966c07914c6fc40a8c8993f17ca4efd62d2490e42c4de2b

    SHA512

    ab4f8049703ea1f32ef815e1ec4655e7fa9a2fc7463c04a955512b4457117af9133b733920da2dea20b56396a1ccb02c6cea44198cc5d1cf5616efb4ec5c7de5

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • memory/1604-368-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1604-363-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1716-349-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1784-102-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1784-370-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1784-226-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1824-327-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2200-228-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2200-264-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2712-125-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2712-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2960-202-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2960-225-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2988-345-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2988-337-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3076-340-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3088-237-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3088-371-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3088-110-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3228-186-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3228-200-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3252-205-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3252-227-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3332-316-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3332-274-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3564-331-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3740-122-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3740-318-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3740-373-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4040-358-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4116-365-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4140-328-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4172-158-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4516-329-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5020-208-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5020-369-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5020-95-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5148-357-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5208-341-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5348-356-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5380-271-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5380-243-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5556-364-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5680-116-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5680-275-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5680-372-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5712-338-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5740-346-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5992-168-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5992-183-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/6012-198-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/6012-204-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB