Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 23:19

General

  • Target

    d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe

  • Size

    488KB

  • MD5

    24bc92778dc6cd95a15e44bd2775d270

  • SHA1

    aa21996dc392e3807e7d7c93f0d69676087488c1

  • SHA256

    d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74e

  • SHA512

    c5c85ceb18913c42f1bbbb4d9ce2d56a3bc8b597e680a834538222b9f24fc4df956af376ff0469d107d0c9d414e8c8e0c8c3ae91d76e4fcc463858d9a0f33adb

  • SSDEEP

    12288:V/Mk/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V/K2O2HIBEd7M

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:944
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2596
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2740
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2516
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1356
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2084
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2612
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3008
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1716
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3052
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2532
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1476
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1964
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2868
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2300
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2584
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2656
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:572
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2728
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2620
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2272
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2076
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:956
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2240
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1564
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1496
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2188
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2624
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2540
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    ca2e1539c052fb163c5b390aaa4d7ef3

    SHA1

    57f423029f0a586733af6680f151b67178e89fd7

    SHA256

    0e605692ca2069f49a73c4dab64015130900c34bc587b62f7fd215ee1f8c62c8

    SHA512

    00efac6b6ac591c7430d2a66d96df9c05df9162eec905d65fbd6d29ed063affdf8874d6e6d4a46ac9b7d9c90fdfc1224ef63b58a7a2b96c59c88d5df67c8cff1

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    51a81b2d55ed92753a2e4ee75505c34e

    SHA1

    5e84a3af0f9cba57a68b18384bb36d88fb56ee45

    SHA256

    16812f3fe7d2f0e3d76de5262ccf59d7b4e059f4c746d460dc342270b449911e

    SHA512

    ba7ddbd095083d526b0d08b6bac7cf7c53590b3ed3a3b9b9a1d31d82e48f8522d6aa83dd6b07d48876aa8395de7c68bddb949a69241811c200fabe74c33690c5

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    488KB

    MD5

    d43e581a25cf5716dc41e8055fe3d029

    SHA1

    e5c32fb642ffbc2f144dcceefc6f485d178c7b90

    SHA256

    debed3fa0597125ae8cde713ded5c219ad3dd1d9ef03a606c19707039954a73c

    SHA512

    9c879d31bfd0186aa2005a4c39de73dccb5982e78946a547544d1cf369d5840b2f515500acf5df82ca733b1b211a732af25b60481777235a80d2fadbbe80b3e8

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    8e060554d4248c2d1ea58bc6aae267df

    SHA1

    74ab1e96356a6cc7421d3a0b7c022229cfda229f

    SHA256

    7c1da7947551ff6063dc9ddc45627b4b434f07feade133f1e64b1b92b186d738

    SHA512

    459f388c923e031262363a0484a8c7177d6457547c70f98adba40373bdf978aacf20049f14ee5daf9d2028ff27aaa760b573d62e6e2f22a6796b09624ae26548

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    6df1aa6bf29a33f9bd5a0d16c6dcb109

    SHA1

    4d864028c87557fa83cf68272d7a6e5812135457

    SHA256

    cf92ab5f7ef90f7971192b6fcb3c420a04eccebab70866c75c372e20bec34959

    SHA512

    83b4a842fbe0d600164f3f0123be74a075e0456b9bcba776e34660a91d6d2a583ee8c7307b2d11619cfd0e3f15647a1308f66638fe672b9a0f1350d6e2617ef1

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    4810caec551d6ff73fd7f1b738752356

    SHA1

    3171453113e46b9938151dd1210650b4f141dea2

    SHA256

    08f1fc4748988ac403843eb7b7c0170306323519bb72d89b1d1d4b224ed0a224

    SHA512

    3eb6c1eca77e9c4b32fe206b8c9cb3d992b4071c8fd4eec6e8cc258819371e9b2e508c0b5e4deb83b7faad806116b8ca9aed0d225d1b17e8091a4a7dada519ff

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    3cb92aa0aedcfd85986dd2296c3d3348

    SHA1

    4ffec7b6807a87cbd512fc03d22d949bb3fb6d9f

    SHA256

    17d2d6622e96ec885d34964f52076b14e1821a6cffce183e70b550e53a210ca9

    SHA512

    9afb174f5a9e5ad565acb8195c0dc503ca31152ef05b2bb0128c86164b8bc27ecd81ba4195d8404dd5ed107a7829f86f48dc3d5968e6f0f2ccb598e7de86418b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

    Filesize

    488KB

    MD5

    6f2b519144d81f7e58f1135b875790f3

    SHA1

    c25a5cc3d07ebe71f54481c867949333b7d2121e

    SHA256

    d0ef871a6cf9fa63c2ae847bd8b0e73d6e1ab9bb8e309299621e25806b4d9bbe

    SHA512

    615a4135a7081b05f3154646a66daadc6d374043d1e11ca7e85e13f01721af335f648d817795d7765eacd341e8b0121916c23d1676e6ae3999b16ce0f9fe50bc

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    d7fd94a84e91048dea13a15d7feb6a8b

    SHA1

    db42e7f7a7c1c4ec04284e7bab2684c8c4f493d6

    SHA256

    f4f5927004ccab0018a0078c02597135e13b7caa02661105d9aa00edd67f008c

    SHA512

    120965fea9f4166c4406938194eb435eb1d363b56b771fb2600303670fee43ef1287d7224bbffdb6eed94e5772973968b31e99cb20715bcd77ad6ce48714b362

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    26f5d0b4c015f70e1cddeceee0ad59fc

    SHA1

    86908a4ad6c8fdbddbaf49353259a5562c90506e

    SHA256

    9be8e4e8810a26e1e09bec75ed5fe453a47c05e655d42781e7000133f68f4310

    SHA512

    ae0126118ec3525570ff43ef02ccde5548465e70c32961876daff5fdedd49806b5d96453efaa3be669d5ac51e7b59ee4c0996346542cca7cd126cbcb7f0bb1d2

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    471dae711e20f2aac89a0efa4d9380b4

    SHA1

    5def9b5287b4c545fb4bd56b7844350b5c2de7f0

    SHA256

    00297ed9c856f38c32a1ca022121bf9a1efb810de2d20519ba3affd6438f4871

    SHA512

    18f53322f35e50a20e76662f0ab9a88724edfb1921fba2b55dc96de105d468ff8df66fdc0a42cc4ddcc6654a15b0f7b2151bc3f43a79d259b775a1cff5c694de

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    24bc92778dc6cd95a15e44bd2775d270

    SHA1

    aa21996dc392e3807e7d7c93f0d69676087488c1

    SHA256

    d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74e

    SHA512

    c5c85ceb18913c42f1bbbb4d9ce2d56a3bc8b597e680a834538222b9f24fc4df956af376ff0469d107d0c9d414e8c8e0c8c3ae91d76e4fcc463858d9a0f33adb

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    b9af2f59451be5cdf74e74de864971e9

    SHA1

    c2601232f4219978126901603eeba2148a9852d5

    SHA256

    f695c64049577f1d07fcc102c919a23288f8cd66346f8c3805228e262a4a9826

    SHA512

    94382d6dc493cda72214e03be45c04cfe5871b671edb1e392b3199f58c278fb34f4f99bc3a15bbbf8ea016ff25b0d1f18d438d364e1164f4e1c2d61358be6733

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    ef61921419b360293d6e387ab576f0fc

    SHA1

    459fad0d5f7b04eeb22e6a4bca9d7881d079ed89

    SHA256

    50d35e27fcef29967f02513e3989197f9dda3ee0b1f1bf11b685c3ba7cfeb12b

    SHA512

    f84fddf668526ff3ad0ba52c2bdc4f8cae0c425bab1beb761f0d3e27b0e2534b03256aa742a5e5a0ad83b7f47b5edae596e1415d6731c14bd7cc627ff9fb6eb3

  • C:\Windows\tiwi.exe

    Filesize

    488KB

    MD5

    17cecf879445486e250e2cfa23ac8d86

    SHA1

    35e0ed845df5e721f8ea7a31037b7b7c7d7d04b4

    SHA256

    6b1254f1d76b6bd5e4071c3f7521360f5da8c9a903c03be7d56d0096f68fe88e

    SHA512

    caa1f493556c0edff7dec7fc432325f09d6efff190b448ea9ab6ee916c78c20e06db400209e361bb549eb4c0eb796bc07a476c115a4d4e34922c2d25ebef5143

  • C:\present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    782ab69381ff8c8f55ea1d58005f3d17

    SHA1

    4e8c423e24a6950f10d9c743c89c71e9a6b4e06c

    SHA256

    7001a88154af24a4a1388f881ecaa971650f8ab6aa4c8be3ffd5db1960fcdd77

    SHA512

    f69e1093ec0a8133e20b80a657f8d2a910d96585e17700cbf73637cc4714f32b2af745be470060c80543acae027dccdd43d525b04860f660af196f2ae57b1458

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    488KB

    MD5

    892443e78f3d5f25f3b9d47d7cac894c

    SHA1

    76405d2850295cf2189640d322bcb7fb5b407aca

    SHA256

    5a85a18ebd31488b47724c98b35ba7ce194f6400c6a8bd1451c4147541e79d07

    SHA512

    e40329178127ce4e299f9a342d228d7c9d5959fecb314d58a3076b4b94d40793a88ec2d7780f12ba1ffa68b7b793e9ce9c1ed5ac6c925346196f2e2153f751cf

  • memory/572-430-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/572-431-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/944-110-0x0000000003890000-0x0000000003E8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-277-0x0000000003890000-0x0000000003E8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-222-0x0000000003990000-0x0000000003F8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/944-99-0x0000000003890000-0x0000000003E8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-111-0x0000000003890000-0x0000000003E8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/944-221-0x0000000003990000-0x0000000003F8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-165-0x0000000003990000-0x0000000003F8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-98-0x0000000003890000-0x0000000003E8F000-memory.dmp

    Filesize

    6.0MB

  • memory/944-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1564-436-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1716-315-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1964-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1964-216-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1964-166-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2076-399-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2076-397-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2084-317-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

  • memory/2084-316-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

  • memory/2516-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2516-291-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2532-402-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2532-401-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2584-400-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2596-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2596-459-0x0000000003840000-0x0000000003E3F000-memory.dmp

    Filesize

    6.0MB

  • memory/2596-281-0x0000000003840000-0x0000000003E3F000-memory.dmp

    Filesize

    6.0MB

  • memory/2596-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2596-280-0x0000000003840000-0x0000000003E3F000-memory.dmp

    Filesize

    6.0MB

  • memory/2596-458-0x0000000003840000-0x0000000003E3F000-memory.dmp

    Filesize

    6.0MB

  • memory/2740-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2740-273-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2740-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2868-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2868-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3008-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3008-403-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/3020-451-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB