Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/05/2024, 09:21

General

  • Target

    3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe

  • Size

    351KB

  • MD5

    3c901f9b60f23c24c61649a34197c917

  • SHA1

    87bea37c66f4a34f3730acc7606d106731fca1fb

  • SHA256

    48ca85344797b23064d90fa7a7d294f071bc136ba25135c2059a70b64aafb862

  • SHA512

    10b6c665145d569efc939ed1ccf7cdf80f3ea84fb5f0ab344f0ab3a561f9a630750de77e9420b3e68dffa548c0562ae092f4d873aaa96082dd9a66137a216b6f

  • SSDEEP

    6144:V/OZpljYZplx/OZpl7/OZplx/OZplQ/OZplU:V/Mjqx/M7/Mx/MQ/MU

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2980
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2208
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:932
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1732
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2096
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2900
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2028
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1032
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1268
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1484
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2060
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1536
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1948
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1844
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2248
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1312
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2616
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2384
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2960
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3064
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1160
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1216
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2544
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2312
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2356
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3024
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2560
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1532
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2480
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2652
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    a4c87d6f4858f1328a22d898ccc5d680

    SHA1

    cfe96f6facc0ab950e0ceafa640d02f94384b989

    SHA256

    ff61726a9498e8f6676ee052dd05eeaa7ae9cd0a1222988d104303387fdc1bf8

    SHA512

    5ef7cb13de495158f125e61648443e3a8671519d2cb6498df42e466b64e3c70829b910691633115d3799c039c44e6c32e56466f556864a6eaedc9ddc3f1c9124

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    7f56fe84b68683e6780a14df24b2e0b5

    SHA1

    92edef557da4b64900cdab2039b0ab25e42d4fb9

    SHA256

    a65597591cd0fefc937cbc6ce3825a20acdf4bf550b2a3d3e163c9dfb53a4604

    SHA512

    e07eeaed4c1a7f4cd0be7cf4bebc0e9fde1784af8a83bf3e352cc6e46941182e12a81e639c4dfca88f770640efc964e07cf74dc806a764b99978051b49d06236

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    9563e7379235581c1cb52452d1551466

    SHA1

    44d06e71d622abe3b4017fd0cb9b7a5eff95a4c3

    SHA256

    052370172f9ba89d484f3d231998fda9aff7a1e16121ad329d39842738dc0d5b

    SHA512

    3d55657e71500ce1c930b6f04728fb930131d4540e356213206fd25967c855b4d055491e69ebcc717bdd7e004c936c7f95b3f8ef7fa67986dcaeb9d5915b5ef9

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    3f6f4084b4fb56aac18b25742401f103

    SHA1

    1aa449184ed57a14a693746a4b65d4f133bfdbd4

    SHA256

    13c3a23876a452d63b0ed22dc3883e4ebc5e8ace9d2266c9c29121bccc7d775d

    SHA512

    8fb5a3494efdc77a07925b62a528e84cb12830712bc0a61690b0161429c4bac88c9e12372605f4168a39f1f7e5f6bd542aa9ccacd456a285e1b31ffd6769ba60

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    bd5dd2c09d848786a26721a133a5ea3c

    SHA1

    28c7035cf05614be9ec35cc5236a4733bda9c03f

    SHA256

    6593cf97197a56a2328ce93a6db3e0cb6e2a061abe6fbfbf0b12ccb858e29a7a

    SHA512

    7ff3a55e80a425476fb2b3f47c6dab9a34a63f984d285830dfa9d2568b13642b9d5b1ef005d078057b54d1e7339060c95362ebd34cd5570a5a2a39c4297fada3

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    222c7d22c0dec1d04d62324f030d3e9e

    SHA1

    562c9596da5c07198ecb3b7fe99445e24aad6e8a

    SHA256

    02299cf4632778accdb75d502d43671e7c333d2b751b9195a38787d20fe380ba

    SHA512

    c0a015c3f332ba533660b4449e40f34d53d4254cfaee3e1db20d52bcd937a6f456372d24e9069f6f3ba57eae052f628cb6b4d26f4b862843e6a69648cb245d48

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    870b4cc0207581973a2ca0b12c6fc653

    SHA1

    67c49aada9c0e738b18d3dd45ddd3f7fc729f109

    SHA256

    fe1fe45d6a1311cf7827ddbe739b126a321d706a4a75eaf7af677c6435173a9d

    SHA512

    fa99ce430eafc27d8e173559e72baaa8eecf7491a8ff2999507a3052e8bfe970ad5fcef674d5ee29b62617b5f02b379309ed03f19e0980a59b64c85e6f45bf91

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    7f55160516dba9f416f13e7c40b80a86

    SHA1

    eeb0aee328f98d2f34cf60c81d7dce2aa126f1f9

    SHA256

    46f4d33fa47aaf7abdf9f90d358964bd5e0e55196274e789ca4e62b513ae6fd4

    SHA512

    330183b91907b12064692756cdb4eea4834a64776a90dff69224d8ba7536226418778a672927c0f5743ec4997fe8d52c2c9f58046c3114a3d3663114d96f20a0

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    810696065d10a4cafd8406ccbdc45875

    SHA1

    ae3f2fa226bb2447daa0ebbb9bada17b887ac7c1

    SHA256

    b7d32e5b907883ce0ca81c750047fcabe0388f5ba6cfbe3e568a08b3a93993b9

    SHA512

    4ada049221d295ea691bfae461432cd11370e3449e49b57c9c3eb98fc10c2e3686641a390fb23de66abeb97d514ad697c02fa027876f48c2d2fd51422fd784b4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    351KB

    MD5

    b5181f00fdeb93560a0756ea262dbc04

    SHA1

    92d328a4fec8f1c626eed597381218bb9bab1a4d

    SHA256

    56389165eda4f2498d9c2bac10f235767e1008a8d5bdfbe1c4a750ae1ec9512c

    SHA512

    7bb49488c89395f0112eda4f101a9cad9a1dc22850087def10028ff185a2f155eade8e9544ec8b5b50545c81b3207c9602c444ad7de6c2d84e2f06bd57fcfe9a

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    351KB

    MD5

    f3c7fc2820e5c421eecea309124d6973

    SHA1

    39d1598fee009621959cd528debe3b7ea662f9ee

    SHA256

    b2634d074187d278bf9ca11de073ab02e0ba7bfbbbb6a4b764de86af836fa76d

    SHA512

    032d027f8fa1c7cca28cd9f3aead1a5690b3f04726fae386f092a3f7b52f2fa0bf8611e06e04b9878330fb5e6401745292d320815282d02dda9f1078e2c5265e

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    7953e95f6c890be569f2fb8719cba7fd

    SHA1

    0c0e5b384efda507b07de97f3d61cf813b4bf0b5

    SHA256

    8253890b42f2c958b4a5977fa1c7723045c3c7e503eeac74f34ca4d975c7900b

    SHA512

    f42b2d6ddcddc676db202d26a6774411a4c15ba197daea1f40e640b10d2d01a547ad4da3ee47a7f64b2471d57b732f00900f142c6aafb0644337236028c0625c

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    a032e025ee8c0f037c61b3bb00ca33d6

    SHA1

    761d9e7e3df4b9ed7d96325d5a67442f5254dc13

    SHA256

    48abd324eb4d8e8b2a86e5abcb2060e11f8b7161047f8983de490fc2b3ec7781

    SHA512

    397ddefcf0674b1ef9d92b724ca6e6d7f1241d7060920162d686d0f5d9713d472710c7b9c179dadd882950287ef02a8cd44e21ad3218d74cedf2f6b6e4fa580c

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    c8aa0047cb2462df93e598935a27b3ae

    SHA1

    548b1fdcb7eeabac08492585b34b7e05962e32e3

    SHA256

    22195f512b4cb7fceabedb282ca947e7d910f4272f048406b9d94453a835db87

    SHA512

    5e3ab912640f1285ebf298ac260eb555f35a50d8aa3beef09995a0f6f8aa42e5fc83fe6b2c956e631990799e9a668aef6de78d9fc0e7c862e4ffbdac9bb8513b

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    52a24c3927a66a6b4ba0192cd52bb5f3

    SHA1

    eca79c2af826daff2dd1f970c5d03c6bfd86a57c

    SHA256

    d868255b5cbc00e94022c055a298f741805c9697fcb81c3846c78401d53bc151

    SHA512

    35cd7af1ebab8a1ac9c8cc67e35e6f75b3489bb414d900fdf1c490624474ab30569c0c1a545928c781c504b011b384f649e05c2eccc43321aed63363d532b865

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    3c901f9b60f23c24c61649a34197c917

    SHA1

    87bea37c66f4a34f3730acc7606d106731fca1fb

    SHA256

    48ca85344797b23064d90fa7a7d294f071bc136ba25135c2059a70b64aafb862

    SHA512

    10b6c665145d569efc939ed1ccf7cdf80f3ea84fb5f0ab344f0ab3a561f9a630750de77e9420b3e68dffa548c0562ae092f4d873aaa96082dd9a66137a216b6f

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    3e57064c98c8255393ce8264ed92d756

    SHA1

    657de0cd90a6d4aacf53bfb4473e7ad0f0f07aec

    SHA256

    bb06ab876cda205bcb256fae79713f42b47b01397fcac2cc94f59777439f6b2c

    SHA512

    78c7cfae9851e4e42b5afdedcc2d6fb21797dcb61847b663963876a5207551caf96aac8a95e7e532eb946a8ea6f2229153e9916c4b093f1c997627733c7ca661

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    1bad494aa95feb1d8a853cf4e2f54428

    SHA1

    4d68888f0f8181240f7db168f2ea7895e80c9c19

    SHA256

    37ef54029fd7cc1019f35cf637b62fb67a59f2c5ff8a72307256672e4a33a8f5

    SHA512

    ba8f87fc264e593714feb1a52d00e1fe6f490c2c4cb12c8fb266f4620c6d0b953288626fba71bbf2a45c5eaf20277d5b890ddd471f7fed506137a81a772ca481

  • C:\Windows\tiwi.exe

    Filesize

    351KB

    MD5

    2be94c411efa3d980dc7807272a70426

    SHA1

    b7c70117abb68c0ae124046c714513cba8f04e30

    SHA256

    e92f6499898551fe35837d28a6807b17b672a22e6ca175c8a27927e5cf859e0b

    SHA512

    073154267a6db7ceec5c0b8a6c1a0c23d8dbc440eec2269ce9941984328ca5c14574f6dc45ec495de1455937503f08e84bf821f4c481b889620b0e8c91a1da54

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    bad463d1b74fc207ce2c6821c85983c2

    SHA1

    d088de5bb782e4015fd221e9b86c1782a30d7b96

    SHA256

    fe11c94da2ef8f4e368c961eb3e1b6c6518e3a49da21670fc6e32bc7dd62f742

    SHA512

    d557da6334ade40e7167c80340311a3e374a5b430b6bd5afbca7622c7616c2e4a3511bc152aeb1cb0b585c8e89de8e09660207b467e794531c9608a64b84abb9

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    f02f675e61530ff666b17a739b9462cc

    SHA1

    2a4c33527d54b2a98eaee00c0d774d1496176696

    SHA256

    b07101438464175a6fa3a57318dcd57752fd1c52e0aaf2c523df8e753a43c574

    SHA512

    44110e4a755875d88279e91c9ef89984f82d262fc4febeb6b930d912ad3bc5b647e5f49b56b9cd99c8672e864ff242c6905fa0589a083295d10e2d7bfcddb39f

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    351KB

    MD5

    af1aa4000dcb56457d7e61a641d90d3e

    SHA1

    fab0a1228de9c9f20d2cbbe55bcf130936155378

    SHA256

    69a5225c12e2a0eb57bb96d5cf98ecc8efba8126dccea1e60d0ec7198c506ffd

    SHA512

    30ef1c8c63df38d0cfa4ae7794c06638de3ab85ccbf818ee5dcb16845ac855935e8b130e7f6fd6d2df34e2ce50b66c361f6454e5e8ec8e0bdb459758571a62a4

  • memory/932-204-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/932-265-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/932-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1032-268-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1032-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1032-272-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1948-242-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1948-258-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1948-176-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2028-441-0x0000000003420000-0x0000000003A1F000-memory.dmp

    Filesize

    6.0MB

  • memory/2028-273-0x0000000003420000-0x0000000003A1F000-memory.dmp

    Filesize

    6.0MB

  • memory/2028-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2028-254-0x0000000003420000-0x0000000003A1F000-memory.dmp

    Filesize

    6.0MB

  • memory/2028-440-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2208-429-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2208-98-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2248-342-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2356-412-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2480-379-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2480-385-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2536-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2536-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-109-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-175-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-255-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-252-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-418-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-111-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-274-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/2980-99-0x00000000035C0000-0x0000000003BBF000-memory.dmp

    Filesize

    6.0MB

  • memory/3024-423-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/3064-415-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB