Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 19:25

General

  • Target

    1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe

  • Size

    488KB

  • MD5

    549b285b034030900764b8ca09f9ac26

  • SHA1

    81b386310f280e7788a0ffa1fa05fee6fe0fb817

  • SHA256

    1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a

  • SHA512

    16cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787

  • SSDEEP

    12288:V/M5/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V6K2O2HIBEd7M

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
    "C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:392
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3568
      • C:\Windows\Notepad.exe
        Notepad.exe C:\Present.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3340
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4072
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3252
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3692
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4344
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4264
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4804
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3976
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2076
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3744
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2372
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:1884
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5052
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3732
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2792
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2492
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4428
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1236
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3092
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:756
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:748
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1244
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2416
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2684
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1404
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1820
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:764
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1504
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:112
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\Tiwi.exe

    Filesize

    488KB

    MD5

    a15fd0cf838275714377b851d7935219

    SHA1

    46e31cedcfac7f7541c22836d26242f233bf6736

    SHA256

    58fe1c7b12dc429def98f2f2f4a3afd873a61ac981e6b54cfd2fe1f48e100708

    SHA512

    26bdeafd56a22f262073ee1a870b02254782c988d11f214c5684d92b0d12e00cee80da18c3ec7ca4090574690fdac7346bec3b063134a2bfa9ce701c3eaeb863

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    6a9ec5a9360f6f3d60a200f999a8f828

    SHA1

    cdf8430d8abdad534e228c63df332f81394a047b

    SHA256

    f19aacddca1cf38bd04ce82f44bd3f145534d73eb2c65b2194727691dddb84ac

    SHA512

    5cf6cff8ce661b843e13ff8c6d19f7b1a08adebb0b439c8ad811de550b390bd28fd08954103e082e25d8f3061550b06fa51afacefdf3dbf04af7659564a75240

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    7b63e855540b3c4bec019065d9901df4

    SHA1

    e055a7696a09050b6837a82fa0a648efcb0d98d9

    SHA256

    bd5433273b04a451937ecc33a550ea138d94f6f667381fd1f7fc090951eb7b2f

    SHA512

    2c5d08fe7303a6c0b0bb74cbc3ce0756a6f5466002efe7845aca0e89de94b796a6ff92c9473924e4a39492aab4f2a80af4a7060ee8cfdba1ed1eea5252644fcc

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    488KB

    MD5

    0655d1cee110b18e9fad39d4432aa67f

    SHA1

    67c4c58e79b8a444b86eea386499132423d41fee

    SHA256

    e34f4047e5eb92a1ed41ead761951f614896cb2804c79f864a3c3696ff9d6f03

    SHA512

    3457bf80ba0142d754b67ef6fbe7a1d9810cdf97b1e626fd3d7067793446fabcf032f57f5bc814f30639c7912a6f03f941407bd0d4b8aa4c933bb0b237006d15

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    137dc70196d811805db1246f6d4ca446

    SHA1

    6c5b74b723a26367e2a1ea7b5be8bb1662442be0

    SHA256

    b4176c4a8c1d593ff772994c93631271e4f093ebd97f81f5f7696ffe4aa2768c

    SHA512

    7c492fdc091674c044ecdb0f2b4dd3f124830ce8488709112960fe0514315860ffaccd456227c4d118ad1ca520e6a8bb65b575009317745066d80bdd3ea5a054

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    51ce6d3e3ed89c3a1050440dfa4523fe

    SHA1

    921246c9ede2e598520549ce7d06b63b1de20c34

    SHA256

    203bbd0ca118b5ea7786f4b1ce1c9b718999d3b627ee99192ef67b06ce6d86a6

    SHA512

    be50ab80daff3d8c12f805b175fe42ecefc5b48034389da779897af08f2f5850a8c8ac39bd0b30be31b6bfcacd6b642ac45ea134044ee0565cc939758f1b8a58

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    f860b92925f82d6680b0855e45b0a7f6

    SHA1

    f4db4543afb5ff3de2b3dd344a814924b836166a

    SHA256

    6a4249cee17dc9fb75e54328801e35ff7fbba156dbd95d84cf5d8da718751420

    SHA512

    b8d8514a7501ec6d95994aa4942b997cad3ccebb7625daca32ad29a915ddf75350fafd92c24d2ee51bf43765b07958cd708ae1e315fc170655f2aa4a99244d41

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    74e2bad0629a7afcdcebf47f07182bcf

    SHA1

    5198e6e263adf7f241aa770a2532abd573c0bfa0

    SHA256

    32ea0511a42515b2b88c00df11202d71c4aae48fdb6a9c448ab1a16eccf97428

    SHA512

    08cad8776efca90f77171fb096c660a3dd2d7873ca01798e3e977d4ffe660b87e23087e93bc56f08c1deaa9478028e0a06aeb4571f287596ee7c97e3ca063a8e

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    84dbc5e9878f1d95152eac928fe01cc6

    SHA1

    2b0b2de6951e5260346af449ea31bb726eae10fa

    SHA256

    cb862620bd2c3f4c2ab93d6ce3934e6f5fd610065f8982c7e02ce02247eeb3ae

    SHA512

    3742c1a0305e0a23e69726d34186bb59f42c9cd90f586f8ba5b3bb59db52875d7e23c7bae36a4a72c52db4f4f2d8137ff2805c006c35360394f8becdde76ddc4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    46dffb7ab4b7be25fa06690c908b5b1f

    SHA1

    fb0d91b2679ad015e5decf269cad969ebae1a123

    SHA256

    8d445e3b84dad8aa73c99362a63557d709ba786e5bd7e36c71c199c7da3abca8

    SHA512

    a25cb4dd8e1f155cca711155b7989bda65987a7e14b513e5d3b998a03625bf73a422a20c9c8d0ffaaf5ccb1c64bd800c3a41063976d6b8321023b558e1147b1f

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    e7df4a8148da7d44e2e85c179eea47ed

    SHA1

    d8d7c46461734573b37d1d80ba380dfd9e099099

    SHA256

    a3490075049c46bd1d049b2d0edc8b1b6a901547104e36227520bb550f25bc5f

    SHA512

    e10dba22ad390f67a4cdc96d0f39503946afb940e01138521b74ac7cc6821058c6421c036bd8034ab2ca4464aa101b06ec0b3ec9150a1ea82684a9f4b0bded63

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    eb980f17d40f47c94448911686b6623d

    SHA1

    0262a4167e04828e15e26aa4bdda87dc4979a0b7

    SHA256

    b19778fe2821eba65aa5236abb4b6b3c82873c7f433481e1991d355a6b27f923

    SHA512

    ffb85f6227ed7c30d9c2b6c05478ae2d1ed91d19b9eab59143c9dbb3157d70990c67cfd4cc89470b4e6ed9443a81e56fa5737216d4e29255fae85c63fd8e0ce9

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    5f566e38b7871339a751d57e86f8bfcd

    SHA1

    eb8ccc9252fc20b9ee0e614932bd2db9281d99e1

    SHA256

    97d22572613f0dbd68a57a59c1893f1133c7ac325d2e0fb81521b246fc36e721

    SHA512

    3a66d193a36363995cf71c64f24aa857a9302578e44aaf3c768f579d5ad98433eb00114cf0236282b86ebfe7f7e546021744ebb573f63b4df3747ca4b29513b2

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    fb9933d360afbcc0661d6505885c500b

    SHA1

    35d8021c7afb1265bbe432b945d9add1536f70fd

    SHA256

    a434c8b03536704c8e4f2322557662793868aa412ac0ec36c071e9f271a4f9ca

    SHA512

    627516e2ba0b97a7db0dfd7189cfa0fdcdd26b18f525d1be6633cd8a1982aff32feb502726aef645e344ee8996be0e0d55b367959afa06e5d32a4ed815fc7a3d

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    488KB

    MD5

    bea3f332073ce7c2a289ebbb96ba62f3

    SHA1

    e423531a6cdaac290685fee75a5757bc62dd21d3

    SHA256

    f4a8c8b844553ed9742ff09ec8f2b002534b9cf5dc2936e57cf49c8658218b2c

    SHA512

    164d96484e8795e57ecb71c3027f8386198974c8a6ada65f2255b4772f7093d3283b12e1502f3e0baa5124d9d57ef8cbcca0bcf04df02487229006e2dd992abf

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    799c9d5a1951830cffc90129fbcc64bc

    SHA1

    a44343268c36da93bedec9ebc1dd41eed5c03b0c

    SHA256

    d00a7e44bb65c3cc2aac7c52f7f434fc4970748fffaceef53aaafcd766835cf2

    SHA512

    4605b24a3a8d2738ee904bf665690011c4ebd56fdcdd2691db081cc0d86ccd1b88e8f689e5de81ef7d48ec3a25ce8de678d6e6347859878b391f7c6ff3df7003

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    d2578629b36b695aae1644e28fc59e69

    SHA1

    39d14eded3c7102e0e25eec9977dba7695730478

    SHA256

    6747b0143ea9e1e26633f998de862596c442d9827c82e4aa2975331577ab9598

    SHA512

    a59be6d451222a50fb4f9b9bd744517e5bc450e6192bec56823b709c94884fef48cc4cf3dcdba12656d2e8caedcd94659953d7655e38c6d38796b7344dbab136

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    549b285b034030900764b8ca09f9ac26

    SHA1

    81b386310f280e7788a0ffa1fa05fee6fe0fb817

    SHA256

    1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a

    SHA512

    16cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    d2d93b98fb5bbae4aca25d22d433e11b

    SHA1

    f5ea9386ce6be37a97476bec99c24fa1ff89f18d

    SHA256

    dfd42ab901a0a867b5876a4016a6500717faef423a86a20118f7cf6552ba20fa

    SHA512

    127930bb185bdb98627fd7f481b8aba4c264b08e9072585b0b0691e42c54b0e528135b7be2c5a731943fabc853ba92c5b655838952c9c216c5e46d87078b9982

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    226e211eec10a5642a7c4b2bab066ee8

    SHA1

    d16e36e2157b09fb66178a5356e46cda93a44d6c

    SHA256

    e17af855aa838d023a4e54d7790e036890b5d3d86a24f01368444ed35f55d4d8

    SHA512

    32f4a8640868e665c822ae230edd17d0feac8fd48dcbbff8f1356c3cbe1a9d64fe3bdf825813830608f3b0a84f59a9c226b41a21128c8d0a112086946c65cf0c

  • C:\Windows\tiwi.exe

    Filesize

    488KB

    MD5

    02ff4b84a530a55c4f4184b946100e14

    SHA1

    9ec57e8a5580dd9c5264c5dbba57216c94a979dc

    SHA256

    9075acaac8af80211feb8d834c065f03735880f756d931d9900dd274a074b387

    SHA512

    c681a12ee1dfb00972572577d4bd77b64f65013bdd31283c53424a51ea5a690ed3d5e699af509a19a85ed3219e646777bce4ae2fde12703879a891e0fa40dc62

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    bde562776392afe1267f4db2b9cdaa55

    SHA1

    64987a480fac9770bbdeefb586fbb76110232342

    SHA256

    c0509264d2f51109d4ecd904d2000da7ba94749cee84d578132fb2c1547d224c

    SHA512

    15b68ae5dcc8784970d1fe4a55742f6fab12845c77f8743b0f69029a3b62cac4013946810d5114505ee2ddf2ae6fdc9e956e571f9e90d6ae785c2670bda26f2a

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • memory/392-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/392-436-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/392-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1608-154-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1608-148-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1884-202-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1884-155-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2076-322-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2076-308-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2416-443-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2416-305-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3252-306-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3252-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3568-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3568-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3692-379-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3692-312-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3732-372-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3732-388-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3780-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3780-238-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3976-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3976-307-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4072-236-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4072-199-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4264-303-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4264-103-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4428-442-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4428-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4804-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/4804-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/5052-206-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/5052-441-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB