Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 14:59

General

  • Target

    11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe

  • Size

    351KB

  • MD5

    46af153ff1ca8bbd9922ee1cd457aa00

  • SHA1

    c8a5f9ca564f1b95acd5e3b8de8235350b0fbc75

  • SHA256

    11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45ab

  • SHA512

    d60c807faddc883c0d61d403c58006ee38076ee945a9fdd38c4c69f845cdf33533d752a9a7d7f549fb0f08159c5c4c997c6d5885dbed2c82e276e9ff611674b6

  • SSDEEP

    6144:V/OZpl8YZplx/OZpl7/OZplx/OZplQ/OZplU:V/M8qx/M7/Mx/MQ/MU

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe
    "C:\Users\Admin\AppData\Local\Temp\11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2956
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2756
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1488
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:540
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1336
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2404
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2412
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2776
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2448
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1916
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:264
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1040
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2916
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1944
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2108
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2616
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2208
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2504
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1536
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2120
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2052
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2528
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1928
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1644
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3060
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1816
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2536
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1964
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1920
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2264
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    a8761ecd0dbedda62af5424cf5790b56

    SHA1

    9380452f88a47e5b112e19f3c19c42094ecddaf3

    SHA256

    8dd29ff22ae26ffc128cb461f408019f871edbff8bc0299da54e745ea5475344

    SHA512

    fe9500babfdf0f4aa2943ceffdcc26a44e296d03f6427e1a5a937a5d1e8ec3d46fce0df6126534a9c7420800f4c5fe306b6e7e32f4ddde85af6ff13819d7535d

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    051289428f7e968e810f0160c1debf0b

    SHA1

    8e9e3a831215f317f69b328458796773fda4835b

    SHA256

    e34bdff5fa163fc281394848b98622462a13be6ae9bfa3274d43b078425c92ae

    SHA512

    da85f54760a3e16f9c60f12b2b2fa9bb59c774fc03d7f9b0886593f83b392154ea2c74da287ca06d2b21b5a85342c526fe7004d4f2d03d4cde0bcdf40e081e3c

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    b089fba849fe5bb2c0d444e362adcca7

    SHA1

    bca50660694ef496c3801b6e94e1eeb50d956b35

    SHA256

    125c102633e62ff2db6d3f31275bb83dc2401fce4db7ea85d63c24b4f0c9a43d

    SHA512

    33c337d30d593050a56d9663a79b3079f28f06dab5d323b7f88594bd9ac878aa25fe597e6ed204d86d81613d1233f6c6c1148452d0d009382d8315a08eae8079

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    351KB

    MD5

    ae49415700244d1d02adc9a443edd9b2

    SHA1

    80e7e3e7a3160ddae160e0d0a5f71cc6fd59e70c

    SHA256

    95f7faec426d956f962e7c3a0d4d95aba811abf7ae5161f7a2a629adf668183e

    SHA512

    bf568687189207ee6a8c14f2831beb1bb589d2e90e061ad4dd1f471122ff0e5e2e333dba6f1521b85310cf2e1dc3dce16c5317e08eaf30e7fa3c1f581d8b9985

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    369424a29566d757eb6ab222bf08dbec

    SHA1

    f3439024f8e3b7dccaff23600348b6ce5bb8687a

    SHA256

    706c3dab328fd649cded7202da0372221c2b2c9051399c91f579c12442aabd45

    SHA512

    89a246b58af25bb563a9db6178d92807cc2269a52fc45c1be6f94bf67755bbe065fecee2125df756cb1f9dc39c4949a3d1a52b1ce859ffecf07ad23db9835fd1

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    351KB

    MD5

    286c81837f966da4f128f079f5aec2d2

    SHA1

    af9a3dc9866634061883e8e764b4069790c609d8

    SHA256

    e43f70ee28f247c05b36f78562f04f4c47ebeb316dbe8ccab1c4f1d252496cef

    SHA512

    a9e583cf4b3a8689af69923af0d486dc7480c509c31d0db7a5200c9f3e893074253bd1fb561d76b6e0afb1b079c5e16a1f467608cb2b73881b67462a5de16c58

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    3bc74a6c9a5cc5c79b6fb03ca070f16a

    SHA1

    2f3b2d11497c9eb2de7845e4b50cace210d77bb0

    SHA256

    ee82044d79fe830c67472a07e836f68b7f5a460edddbedf4dfe0b2591d9cd7cc

    SHA512

    909411e7b6951496e8e997602a22f09a8b7de031269e9786bf1799ad3e96fbba7b3d8541729bb04b51816df26dd9947639f5d5f7ba8e971c26706bc89d672edf

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    f87c07cd487e8eb37d291f34f2d30294

    SHA1

    ec63d65953ccb70c3945263f4858e8618eb13ea6

    SHA256

    53c20bc945a10b40b76065057901fb58ef307422b1f97e56e7e6466aa87c5019

    SHA512

    93fc0e82bf64f9da8d4ea1b8196fd7dd0d4288ef93fca7219341d9e2e2a4097150464f8f060202aa19aa142c9fadc4f03b5f07f8b205296bb9458df46b451a98

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    351KB

    MD5

    acd99d5797077a1fe02e1e380c86096f

    SHA1

    6f32ac5669c5f945a18a376b7aeb03fbf9469c71

    SHA256

    a09fb08db3879201f634e11563b87e431929b5a08ced28547b6dae499572d532

    SHA512

    fd5fdde74cadb323bdbe60fde77cc11fe0af2d43625a3abd6184ec19f8ec8a4c493c283a4cd6e6e0a3c7f55caef73435853a1c74c24cb3c04787dcb7921c2576

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    351KB

    MD5

    bc55029e2e9b6111eaf30a6609c428b9

    SHA1

    ecef9451f737192c6960240b03a8559655e45eec

    SHA256

    cdcafae1831f181923ad5aeec5578aa5f75f222fe86e735768ff0a7562307a93

    SHA512

    aad6379c30569a1ed37e3b1a431d7d5a2fc6f61dd0de552389a398cd75240634c3a8cf9392e9bed87e0810eb4ed53d488c1ff3b819d78a90b16667e4cc8cdd6c

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    ccecc66414253f1a99d50b69a4f50786

    SHA1

    ec137ef8d3cbd8fb74851419cc742326d7883959

    SHA256

    f923e7edb48a2647890cf563d9aa9221e39ea8468e237ffa89e89a41be9e5461

    SHA512

    bd4e8b6ec4dfc317e2211595ff0c8442830332d2ae0e5aeab626f08094365b2a6ca1a47d00dcc40426bf1e352bba2e4158345ae13f80a0442ce5acc2a71ad960

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    351KB

    MD5

    4b461721bc0a851b7f94efe5bdfce960

    SHA1

    4c6a820b61009ee93ded4eb18c4f6df609754b70

    SHA256

    389ba6ed46993f450f7dfeb29521dcedbc74acb9c22425a2466c9e6e67d10f6a

    SHA512

    1e823e386f707a75ca9d6c00b94186fe42d3dded3cbb44bd9d1d3277c59910c6a5cde9f06962ef9dbb43b3c7efcd7f943a6230905ec5cb8e00207307d567cb73

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    fa1569fee399b2a1c600a3f3e2894a9f

    SHA1

    d09da83297988efc7f05c3f4283bf0616e0552e3

    SHA256

    b205d8c1f0c128a73af22881e4f3d42871e88ac479217ba8c02a2dca6eeddef4

    SHA512

    adbf244ff31a95eedfa473d0b5e50a20544964a19bccd71903637a437a3ea00202d639dc08f5113744576621c1600bae5ebc88212cbc4df3d69b7fa75981c3ea

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    20b2d721c1d4f7bc4f5e5985e8b77ddc

    SHA1

    8c6f37bc3601b5ffb3404392651d6cc5132c8ae8

    SHA256

    f7cddd4d4e3877431dc1406ef6f5a578722e342a69afcee5c8e554b8e2c0ce0e

    SHA512

    06bf388318f384dfa7fc0685b74f8b6fb409f23199a5e636ef95cb685e005fac3da175c35586511591f2e40e410d50c77c15d17bb652adedb9ed5395c392ea19

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    2896712a5abeba90d6be52bc9b8bb30c

    SHA1

    3f844489a6f5f471095c8d843411297e3167f9f0

    SHA256

    34eaf950847cdf0047101247f52711151b108665cd07b891ff86bfbe5e7d564c

    SHA512

    42eed21542e943dfdc527d72ab669fc59088b4a65ff787aeaa4eff4cefbbc914040c0002dce6cd9763ec4add9d388c3c99514a8eb3f67ba1cf1e1cb058715512

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    351KB

    MD5

    46af153ff1ca8bbd9922ee1cd457aa00

    SHA1

    c8a5f9ca564f1b95acd5e3b8de8235350b0fbc75

    SHA256

    11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45ab

    SHA512

    d60c807faddc883c0d61d403c58006ee38076ee945a9fdd38c4c69f845cdf33533d752a9a7d7f549fb0f08159c5c4c997c6d5885dbed2c82e276e9ff611674b6

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    2a1e5e6219b706b0878c7b004457de36

    SHA1

    2a4cbcdafb20e95c9c990a545edc3233d2043fd4

    SHA256

    06c9894edee882976500bce6faf42d516a5b9bbc30e7141c55e1160eeee84ba8

    SHA512

    44b25ffc6bb68e1fada8eec71704044d9e0ae3c2ac3c37d9e9d4cb20e01f4f68ac1c97a0eeb2155e0440573260c9dbb6d6d0ff4d2784741c3f5580f620665431

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    1dad9422feb7beca84e26e618f22a62a

    SHA1

    d58a5914c1cfa93a9501dd9dbe0618eb02ebb55f

    SHA256

    c4878846014046e367e45fd4ada1030650b99ada28e7ce5e6f004df2d457ad89

    SHA512

    ed7e36bb8052a5f8aa79ee5a77b07cd455070110097597679b3fc90f0591797232c3d6acc93bfa71c36cf7eeac6c32623ea19fb079c0db06233c73736142c4f1

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    351KB

    MD5

    4e59cbcfa6b64068364793dd2e7a3afb

    SHA1

    e628c628c31287c5f8ce8b6a0ccb0be6f9c2fc30

    SHA256

    f6f5b54c06814587f8398adbc699622af9b5f1a54b8f6279e0604a437d453b2b

    SHA512

    1925a141a22fd832f5b8d4a348093a3dd9866ca165335fbbc3fdd1cd9d7b2dc236c71fd6176cc9268b6af46ded884047a171ee9eaceef7b289b445a1d405cb95

  • C:\Windows\tiwi.exe

    Filesize

    351KB

    MD5

    d60b5b791378519a685b501f00b14e00

    SHA1

    6791e463e5203a800c9f0ccd7d7197fe0052275e

    SHA256

    421bd732cdb0da908f7f2244445ec8a83508de9465fafb9f5309537e11e2ae36

    SHA512

    a3e6f3be17e4661c52749ad4aecacaf8a2565b8bc430478d860fd430c74665e7e253b930e40caee73bb0a9a9c141024195503dbda77f1a99bd4ae8d36b6057b0

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    0468888c13690e481ba93ccad41f804f

    SHA1

    57ff21e6a2572df4048c38a8af7c6ca9b0b64fc1

    SHA256

    cdcd1882cb322514f6b9cc7e6ca45efbe571f71c46bf69f74c18ea99e50760f0

    SHA512

    d789f870199edb3a5dbe189bf3ffdb40aecd2a4dea6351a06c3373e7ff6fd13bfbcbaef0062a04b9359cdb5ab3f547ea4a38a32f66f6f20dcefea701c748139d

  • C:\tiwi.exe

    Filesize

    351KB

    MD5

    ae11a3fec917fe3f4117221e7576a12c

    SHA1

    15ec1e617441c66409be931892d1c99b5c7df127

    SHA256

    3b90952befd1eb27c8dd0efaab531f2e135670dce59617c2223fb66f60be8b68

    SHA512

    78a3d1c8a2317d3c948fbc47556636ea8c04c483f7d0c3ace743f8294719a043320afd2ad834f2b2471ace64f6dd5e05f28059be92551707c749acb04f37510c

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    351KB

    MD5

    c1353ff7b3bdc7b186002e2631d7c4bd

    SHA1

    497105a6e94368c6d59c53e71830d056da2e6bd4

    SHA256

    b7c3c45eb92d05153f527ab19f964336fd2f3d52754d680f8dc7fe58007d6091

    SHA512

    b385a555687d47d6fb26a43d642042937356c3cecb2d19737b5e90afff42a3b8d445a492ed907ec8eae0eaa83058e0cd7c7665c0a2ed98447dc985115a2a8555

  • memory/264-223-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/264-166-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/264-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/540-280-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/540-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1040-271-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/1040-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1488-218-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1488-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1488-213-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1816-445-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1944-401-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2120-406-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2756-311-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2756-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2756-273-0x00000000037D0000-0x0000000003DCF000-memory.dmp

    Filesize

    6.0MB

  • memory/2776-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2776-443-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-274-0x0000000003810000-0x0000000003E0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-100-0x0000000003710000-0x0000000003D0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-272-0x0000000003710000-0x0000000003D0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-276-0x0000000003810000-0x0000000003E0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-98-0x0000000003710000-0x0000000003D0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-110-0x0000000003710000-0x0000000003D0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-109-0x0000000003710000-0x0000000003D0F000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-444-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2956-165-0x0000000003810000-0x0000000003E0F000-memory.dmp

    Filesize

    6.0MB

  • memory/3016-298-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB