Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 01:42

General

  • Target

    3d139b69481bd8d8e19a69076e324060N.exe

  • Size

    488KB

  • MD5

    3d139b69481bd8d8e19a69076e324060

  • SHA1

    055411e49b2fbf273c38339547e3bf9a574574de

  • SHA256

    f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93

  • SHA512

    19bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a

  • SSDEEP

    12288:V/ML/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V0K2O2HIBEd7M

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe
    "C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2356
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2776
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2816
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1944
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1708
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3036
        • C:\Windows\Tiwi.exe
          C:\Windows\Tiwi.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1204
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1808
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2796
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2844
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2600
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2684
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1128
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2436
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2156
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2584
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1152
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1524
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2760
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2716
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2744
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:288
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2112
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2756
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2912
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1728
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2708
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1816
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2428
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2924
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1400
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    7211193bffee1df1c05e295be7fca7e6

    SHA1

    d3e3306b5eb2b53b1fcd22b7827ab8a4561b0a71

    SHA256

    5205f1dbaee8385ae249e2ce14f077a62cf77f1fee28198cd1a22998276e7e85

    SHA512

    ee4f08da3df92c503f4779168a5b99a82819965afde233cb4e2bb2a9a0f29c5f69fa07559217afe80a0efb84ce7873bbd33eb1611280a802f3df61e335b65854

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    cd60cc844ef7e3ddb36006c2215c2c29

    SHA1

    3c587d18dff91a551d19dbd0ce8ab3d935805669

    SHA256

    7980776d1387c639a74231a5766c96332305e4bdba78c0377f9e1f610c3e3c2a

    SHA512

    371defbea47a3d90853900d604f25eeab34b6c752b8dd69ea5143d0acfb0d4a806d3d0135eeb265b03443d40e09004a301488b77c106907b7508169e13290c18

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    488KB

    MD5

    f2ca9dc34a24d284fcf67a403c845a74

    SHA1

    e5d05b78ffb92217ecee2327499b01c0669438a0

    SHA256

    9aeeb224902b90ea4ac2cd66aeed3a5e127d9b147f6d92db77d5a97529080e9a

    SHA512

    b994ce60add1bafa6a9774219a88835b2d6d81833b4ca2568474ad7d97365f082c0be17397e948442d06c830bc2b21eece5152a4c670340cfbc1895255ae8baf

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    728ff4b35593e33192ce29ea452a694c

    SHA1

    b7c8d1db560407a68f974b80de876c70ec729065

    SHA256

    b81ea80d54b5cedee73e70c86c441bed884e1b36d65d965801a37fd591e793c0

    SHA512

    6659f59f52706b4a64c0aab201562ec667783b0cb95f82a7d2c8d6a361211d0fb67b2f867690f8b9a78251550fbfe47ef2e2b98e05cbf977c0ef18bba9f4781b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    49782caf1232e2b53940db1aa07a9d94

    SHA1

    e5906c68dfdf4766f82af3fb7c06cfc053f0e028

    SHA256

    65e62f04f90b4af1fa6ba3e0e4801dcda068cbab1c0b948713941b0ad2dfb1d6

    SHA512

    a829076f8ec1bc011404d0028fe639ac654a4eb52022f5dbd9856d06415f25c524951bf7d9309e8a945f34c800b7d926b6d874434615ee190d3af999c1a7ea60

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    debdb55a67337d6167b856ae138e5eb2

    SHA1

    0d5056ab4e5d3706d7f0c93f0c480ee8b8f224e7

    SHA256

    d0f20f4e21b86e5ad452430929b67f5496d4ab14f668d0461ae2115718e4dc57

    SHA512

    9e84e0d48efbc3e8299596b0357507db7552bd652fddd8378f487e6b7bbcf82151630204e789d22c3d773c8a36dd76184686d157a572d64f3d5566afec1d822d

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    70c6c52df955d3eb50d2ae0da427f34f

    SHA1

    f70ac0fbf55d2263797c9db33f8821a5ca06bc48

    SHA256

    1d76f01d806d74f5de66543a3a6a108edcacda0668a4fa8fba53b59e8c16b322

    SHA512

    11629fcd881080d11af415c9c908dbcb3235d7d40756b32909ceb612569dfba83182e0ffae5a31c4f464b61d948582db922865b82664a695214aa1047d36db3e

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    768a6e8bcae287058124b97f406cd31c

    SHA1

    41d0c17863755818a60b9a720c1fe2a60f26517e

    SHA256

    db52041d3ebc37bfcd55a73cd1832c003b632c56c02c021c022190c5f8fa157c

    SHA512

    954a6152a3c57301b88efa5d32ba90b913730e387b31c6da8b567cfbcabbc5514f10cf44fe43cf3b2fe51ae83030627bf12998b70eca1c7b3c439e4e0720df66

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    913bf977b733861750e0ff731d5ea7d9

    SHA1

    8aa11000e1a6a24a57c1571de665a3a3dd6cd498

    SHA256

    3657d42db8a6bb5f0c0f6c608467ebc84a56a7a81885ef767cb697fd9ea3c762

    SHA512

    38561349c5241c680838d0f68f2946adcd9491e469da5006430f22888a6467ff8f7bb08f1191e51585db7954a08e3cc99c5af009f3c992428b822f2ecb80aca6

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    536c3488909514704fecabbdc899fee8

    SHA1

    35ce7b7afdff315cff2e951def17594caa3393c3

    SHA256

    db55b868acfdd37bf42487b750606ec29661c785a940681d2c34dbc1e81b7d12

    SHA512

    d8cf8450ab27d929e2b1fbbc49326daef814d3d9c7619bb60758aa02295c59639be4b9914139e7543f378ce967855af51bec08949f677b8daf9ca66e31cccdfb

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    c174d237b6ab287cf7e7190b9e9bf33a

    SHA1

    75c0ff9588b1358f38185fc99932b39ef240704d

    SHA256

    834a57572a343f6ff6e3aeeb9b21836691b8351e1527d99356ba102d764424fb

    SHA512

    62d08fcf1f6889d1d3a88f227945247e0e6f6ba00e34c4543a0aaa23816c558daae5c2a3f1cc7bc702aad86984428b7260f0750e47fe7e27a4484e3724ed2b1a

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    83889d73e94d8b02d3e7b77513b6f190

    SHA1

    ab5c7acb7a9672a7cf29362e7954a045e82435ce

    SHA256

    92c970424e063709fa2d0f0056fac60d3dc99d1771c6ed92d1439f187cfc20aa

    SHA512

    cf57354578d91c806322b38bb825ee604098d1d16e59fff7190a069d369610329588554251d9e4f286e13623bbedc2c664600ef779af95cc3a71c8371cbc883f

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    46c2ef2116a81fccaef93aa5f9f9e69d

    SHA1

    199c1730e5424fcd6b9e385a4ab800e7139e2fb1

    SHA256

    d69aeaa10aa5d47d6f560f12bd0b518f2bf93f60bf2fc279c32957b52e65f9d1

    SHA512

    2f6de471e3223c02b639a5e0c7ef9c584bf5e817aa64d1d8981bf29a11c0cf174285dd96b076d3c13d40e1ea37add3e42101c787046837534d72ee05981420e1

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    ab2990b0bcfd32a91aa141f2a12cef80

    SHA1

    5ed36836e72ef81305ad8c91b206199aee7495c4

    SHA256

    f46dd184734d52da3691155279d8fbbb2340571b6798617b926c8fcb2cc1b441

    SHA512

    ef763fe31779d62a4913e6a97eacd579ed36a7d3651bc88077a993d7b0a68efaafd1072d194c51299839baa5bf1b811d27e34c57c1317dd2eddce26ed22191c5

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    07321e97441e42e00584bd62567d7321

    SHA1

    2a10d85c7ea0efe325fcbbdc615718879d7a25b6

    SHA256

    97566e42a2005165178766fbb595f235033e0492e687324ff33762cae20bb715

    SHA512

    6acdc7f5954b944b51b46741e8328a01f2f2e24493cb24db439f251a55f25b9eed1f9aa98dd9cf9c229b9581837edb0b0689fae677616c3e1048f3bbde95ba1c

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    8130af817e068dacf609296a9505fe1e

    SHA1

    3c0b73adb73f627f477c791996a2965c9f687c18

    SHA256

    ad8936d7def44aa2dcddb1bf7c4da7907b1ee83b2f52ac3bafa8e86993d8149d

    SHA512

    dcbe90cfe001108093a549609cb3676b64b21c342e8976833ba321c952fdb3d2be17c3cafa1494533369342e902e44a0f915dd7a613831a14d6db08e4b549b9e

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    3d139b69481bd8d8e19a69076e324060

    SHA1

    055411e49b2fbf273c38339547e3bf9a574574de

    SHA256

    f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93

    SHA512

    19bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    1942265a98b65c0051db57b3d8ea4106

    SHA1

    542cd1499c29cb4abef5e57cb0bc41aaa43ef325

    SHA256

    22440e1920ee70e1b76cc24d6dfd9530f24db8533e2e29b82f7d036bf537848d

    SHA512

    506886a5b07d62ee343add3256d764ea0e82afd719fe88a9f56ee3380c5c2cc8a8031c196f7edc313ce42a1634edec341e21b1de6618fa592cb671490dd6dc50

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    c64677fc7d5cbeb36bd75c59a45d8950

    SHA1

    519d6d1dede970cfa6e6ae93dccf1c9c1c7d4668

    SHA256

    ebf67dfe479e5ec2cc7f2ee768d9d9f04ee5493dadf7bcbdd927b132a5814cb9

    SHA512

    60060a31cd18b864c80f975fd2637398401417542c6623efa341c852fb19c89c812809628e524fda80f8e331c1a8ef43cb0449cfc7a53b92cf76b5ee17ad62b7

  • C:\Windows\tiwi.exe

    Filesize

    488KB

    MD5

    af0ae8a7c3927761018452b0aac6f6c0

    SHA1

    7417b026855533f384b731b95bb411c44130872d

    SHA256

    c98161ee42e38b9f99aa871e3e4e64cd124fd8b60c009caa9454a5dc2575daf9

    SHA512

    e715208b780e491d2814d09129b3ce833edd16823cd9ca36b06cf4f3729b826c31632d58899f54ece9a0118d65df292fc0578e884834400019a7fa8d5292f817

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    7d8dc315f3fb8fb78442c44ca03b1a17

    SHA1

    f3d71aed66223ce50b6d850d16b554d27c7bd54a

    SHA256

    2bba626328438bafa741fb205a7cbb8558b257999b95a45f62ccf1ffa1a5363c

    SHA512

    4808c0ecd93b01233027c77e55810b1a87c02e480c9b0ddd6c2f7d0d7f37ab87ca6e62047ada57115186385b8797253f10bb91e65fccb8b5cf84419c93908480

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    3064c5b9e10bec17a5ca4596fd7da42b

    SHA1

    8d93b3bd51463ccfbf73b07acc4585cceb1f387d

    SHA256

    34e51a69fffa35048b39d2aa93391a613b0550cc22dd677e681e42a6a6c515b6

    SHA512

    d5c045f6a4b999f1a7a0710f9c2759341abec5bd481edd074702a2ee8a35c4dfcfc577349c5e4fb1a26ce14d53a08522f6d47aaa235d443e7eb8fe66942f10c5

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    c04bcfefb77f208bd7c5d96e1c3af940

    SHA1

    de0af7d75944d421cba590256dd2d5c420cb5c58

    SHA256

    538b2db1dc67f4f162f8b1c7bac4829443e6d7bcd19b5bd654b0d078f5184f48

    SHA512

    8cc4d1d174b598d489ac5e6d15659dc8231ecc35d822831129fbc49322cd3e838c7e6fb4f7d08b821814cee22c4b6b40d74a40edbb4a4dba8c8cc200551c470b

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    488KB

    MD5

    8bd0718d719c28e2d3c06d57b23d29b4

    SHA1

    50809f2bbc08ef41def49d5c633c8bbd72eb2fd3

    SHA256

    9703d21e8555050f40cc5d51f90857b101398ffecc5af4637d067fa76cc0b878

    SHA512

    7c10e4f7f3f82608352b0b379c752463337ee5b02bbfede321409e1ac65cbc06a9b8b2fc054e55cd2abb8b01c344aa5e0fbd5107b1fde43f7b03dbdd3dbad4ed

  • memory/288-451-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/288-138-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1128-313-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1152-450-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1152-126-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1204-438-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1524-363-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2020-305-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2020-306-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2112-356-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2112-358-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2356-136-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-124-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-99-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-98-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-110-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-111-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-185-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-137-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2356-125-0x00000000037F0000-0x0000000003DEF000-memory.dmp

    Filesize

    6.0MB

  • memory/2436-326-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/2436-327-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/2684-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2684-449-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2708-264-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2708-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2708-186-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2716-374-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2776-448-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2776-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2816-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2816-268-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2816-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB