Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 19:50

General

  • Target

    0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe

  • Size

    488KB

  • MD5

    1cb6599d499046914145363734d37450

  • SHA1

    a41ff53d0cda57de3caa7d0c4aa25b422498c0e3

  • SHA256

    0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400

  • SHA512

    50fb387b5f1c542844e884d73521d18d0da8ee91672704d4deec09c2e80be5abd85e8b8540937e26da9a3ebba0c11e474bbb8b1b85705ed5df58fb725f5f36c7

  • SSDEEP

    12288:V/Ms/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VPK2O2HIBEd7M

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 53 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 8 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 40 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2540
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2224
      • C:\Windows\Notepad.exe
        Notepad.exe C:\Present.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2068
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2152
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1400
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2988
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2828
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2944
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2272
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2160
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2712
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2812
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1992
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1760
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2848
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2088
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1524
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2472
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2356
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2288
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1488
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1504
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1100
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2964
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:500
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2948
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:316
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2204
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2000
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2220
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Present.txt

    Filesize

    729B

    MD5

    8e3c734e8dd87d639fb51500d42694b5

    SHA1

    f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

    SHA256

    574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

    SHA512

    06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    39567e7ab98b08a80d7d83f8e4348171

    SHA1

    67a9bfe84b3fe0201189447d76f1e595639abbf3

    SHA256

    5c7183fe005a9cb318eea52b3a8457c2ee8f000f9f4c7bf3dbf5b1c409b4c93c

    SHA512

    1919b8eac3ad060d8268a6fce9b34c1116219994f0cd21091d2b9ea32f6c77acec9bba00f72917cc3824f1c1d0396bcc00da73808f0bf426e70d1c2204bbf157

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    c5796e66f806bf6e0294d502c4ab11fb

    SHA1

    34d84cb102858b31ef979e78815d9396bd92c96b

    SHA256

    a75f55a9752a8bcf7c8da6b0be331351445fc2564c180fce96ca8e7264a7b8fd

    SHA512

    cfe170d741d24dbd1a9253e1e0df1433c18f7665d89b09824ee0b07bbd9adea0529764ff418432131ea205b051f606a3ef210c957fcfea5f57b5214abee8fcff

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    37d3a5bd44896806679e9761d931d517

    SHA1

    415c6f59317d1ace1173579319b0922e9cd77093

    SHA256

    96e3685d248dde7cb74a48181ebb6d3c88aef415a1166fe23634b71d829b0971

    SHA512

    9912fb08464a313383adc3269e63b010707adbc9326d601a0bb579a3a575d5a89456ebc7c6af8a3a704c2f434a7e9acaab6986f3b9f7ed7b9b28f465a901c9b2

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

    Filesize

    488KB

    MD5

    687efb146eed5e76b4a18e88b9f358e4

    SHA1

    bd3522d3198f81b2d968e1be537b334bdeba679a

    SHA256

    51465d223ff76b9d43a0b3655aecdd79c2f8fa15c2fd0001c1244a0309427948

    SHA512

    9d82dd09c890709f0ec21b2d09d016c4472bd7b035ce0acc5e06082e322dd0badacc9dc2d5a417445d07871b67d3b868bc55adbd9bf5b9e2d4d304e0cdca2185

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

    Filesize

    488KB

    MD5

    84462bcbba72b276e1fad85bac452cb9

    SHA1

    4173a84243c507f5b19834d570c8446095b7483e

    SHA256

    39db6a80b4732ee193713ccfc2260d3853d51f421e5f16795890bcad646c01bc

    SHA512

    a7be382a25b981c1b03b66e344020dc4cb1959cc46ea3a90163f82956b57c77601b88538fc1060261bfda70a9d725af235492f44e187b336618eeceff03fecf6

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    2470de4a1dcc27ef0c111a9be35adb09

    SHA1

    821a541d88cfcd688d2312b36be69d730abbbb51

    SHA256

    3ae3c5131bdb74d18ec1eaddc1e4cd43e621204fb98efaca65597b648dc4c344

    SHA512

    dfa1248d27cae45264ae6133d1f8c7550d55f3ce8938b7b67ebfa81b3f511fde3e8ab3d50037754547d48af44871dd5ec0942d07b7428d58f97618228202131d

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    fea9e6a8fce415dad64dfcbf225e83e5

    SHA1

    ff7f956dfda3c96d4c2ea321ad6eb08eca22ce35

    SHA256

    5ff71daa3a58ffac70c378633ed0a6bbfc2f9475d0c4c0762e4ddfc8fb217202

    SHA512

    256783d6d951ecb3a35b69b380a3d542b2fb30d3740b78a8d5e9a3c35ece6f25e1ddb00040df7061d6c4a54a89bec161a5609a146c6d1da4f0e0ee9761bfe908

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    d86479ed6b35e96e4a23e154172bef87

    SHA1

    adf1e6f6745e2e4575bd9a7b232dd83d0c29ba51

    SHA256

    564e3692f878b319cfd135083ab424a9a81d9bac3f8a60da57fbf5a092b9123b

    SHA512

    d3cdfc4218750b577da976399086d362d3883e714fdea37facbfb02dd5dc3a46e5cd97cfd6a22730199a40b6d060624689cb0a30a9c37e36c3af8ab271a0d4d1

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    96f629898fa60059fbb39a501e7ce454

    SHA1

    30712506bf866ce5f18f2e93794836ee1f6206f9

    SHA256

    ba33eba864445033da30f74144b086487b0605e0192a5d9614152467e8fbac56

    SHA512

    49bee79092cc525e04f252e49bcc5cb39e01c54bf253ddabe52cf7fd2c9f3d9c3738d78a921648c234dedf6a2cc31f2db93716b0715da287d721f49fbdba347d

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    b45fc62150cb8c3b9db3f0989e89629e

    SHA1

    21674144d0bb72191d7fa4d1ce6b1a5bdb5c0211

    SHA256

    bcc3d40237127d3afffe5fec94a8a5d1b820e1c2d601cb7db7f8bd933524ac9f

    SHA512

    b82e0887b5ef6fb3d17662e7f118ec82813855ef388bb5f90ff0810f4894b0254f7c0e3aa2082df5554cd5e4bb4a432987e3c77c49c13ff59efef696ab547cb8

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    488KB

    MD5

    9eb64b5eef1ede93aada3cc040c4c702

    SHA1

    dad97e6b2c8a23d20354f613155ea4bd43d17a50

    SHA256

    f0f7f18fa188dd84a294aa22ac0b8f679eb30e291047a8a7c7b604b1c2e070d1

    SHA512

    a410a08922e9443d5cafa4d4816d73ee64a0f4c6d48047adf023dff6a9180a4aadcc75f56ca56f22f9560bb6f07aa67177ca18fa81d38c9686894f98e7d23872

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    a17cf39d53dfae6c64c939a16fb6eb43

    SHA1

    547b97a110c5117c0e41c36520d080f759401063

    SHA256

    c6bf0ec032d1ee25b51a75edb7dc8fd47ffa08e6ba57e7b1faa8337b53faa30c

    SHA512

    e232952d54ec3653de4ff1afad5aa658342a14ad62ba89ec06bd30781df471faee313d55b595ae615226d1965f950bd23e074c2f285279fb04434f923ba0d770

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    c0f836db916b28dde4107afe29540d6b

    SHA1

    c0984e5467a7414ea97a93ea836a25a0adf42244

    SHA256

    99a25841823a50d092945d7f26fc22672b248fdcaea627a910d38d09ca037ea8

    SHA512

    d49b1c68e0eec6ea294dbc732076bfbf0be282e6a81bc3f287256a11a00e92034f4689144948fdd6c60bd921fab4dd224e47774e4d956425483feda28c9d6b89

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    488KB

    MD5

    1cb6599d499046914145363734d37450

    SHA1

    a41ff53d0cda57de3caa7d0c4aa25b422498c0e3

    SHA256

    0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400

    SHA512

    50fb387b5f1c542844e884d73521d18d0da8ee91672704d4deec09c2e80be5abd85e8b8540937e26da9a3ebba0c11e474bbb8b1b85705ed5df58fb725f5f36c7

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    2f3d82aec15be2656075dcf301f31de0

    SHA1

    5c186191c77abd64d310afd0eed05bd87599365a

    SHA256

    39553a6ece36262d4784d4df12f9b69f9ad93cad8214ed1e7913e3e771d3580e

    SHA512

    ec3f7e5be9b6ffa4551de9c1118a949506f197449489aa7e4401f7355206a47fd8d0037b0a6476ae3fe5be48440cb40536948c019f135538633cb9b159be0a39

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    68525281db218bdd8f71104fe2ebb1f6

    SHA1

    42d4687f1876578f23a16fdf41ad97879b480de0

    SHA256

    8e1397ac125eca0479c78fe0f52cef534810cc7c835aa10bf3a9ff6f8404dc46

    SHA512

    5c25220486d3e012e8d030a6686c5f5bb0cebcdda7524cb64e2097607d8e9cb4d04f2fd28ee592185e3a17903f513bef09f5dfffed6ecbaf5f3cee851831b420

  • C:\Windows\SysWOW64\tiwi.scr

    Filesize

    488KB

    MD5

    661456e51fd80d4127660b67aae762ef

    SHA1

    f86226c1855c670bf5ce846995297d75bb5c0fb5

    SHA256

    29b1cdd4f5fecaf1f44b21d38b2139ed77cfec41872c9605f62269dd4efeb79e

    SHA512

    e961601ae64bc1759fb76b25770ef3aac4123e2386b065ead238dc86a56c22d07beb9737c56eeeb8614c09c4f01fa744e04e0e1a211c77d6cabe86630d502216

  • C:\Windows\tiwi.exe

    Filesize

    488KB

    MD5

    9cd8282436f047ae2af75c38c5cb520b

    SHA1

    baf0b0d4e93bcb60c47dfcde5334f50d025a5644

    SHA256

    e28a14727a225ebf526efd5549b3bc857a99bebee5415930d6b27ea0debb2dba

    SHA512

    ca9874dc8d889756ea3cb0bc67e521797ca4bff36e3a2f93c1299d66d81dcbbd38339512c55b8869bfa101a93b09cb72715a3d02c3ec6581754f9ff308956bc5

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    198bde1d0db258224b50f4ba17fba0dd

    SHA1

    19b1aaa680eb085018a726b83a0c175afb0737f0

    SHA256

    3753740ebc5dc22616cecf01b1becb8fd744d0b2aaa1fb3707bd418a9d0b323b

    SHA512

    4732eadbfd9439a4834da541567fa8de3eee0813e0809c4b6b9be35683a7be080ee166a9ff8cb3dcbed5ec5257a9c4d61a5960c88a25e5401604c9e4dcb9986d

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    d63d5537df7cf9671b26e4523a800ab3

    SHA1

    4dc9fc2a6970bdd39b889e801781da691ca84c1e

    SHA256

    26683ae91efafc5f2449cde293f506bde8e64578839d6712f5d6a0db82ab95d2

    SHA512

    7951bdf8b88209974987df3025b4d3a2f86387b76061b10c87979d2989114f06731bad1bf389ad65c8a26d1308f3441a51b5ed0b5c304ef7f51ef0c1ffda57b2

  • C:\tiwi.exe

    Filesize

    488KB

    MD5

    b113cfcfb420bca834d7159e1e36f507

    SHA1

    e38a801e07f9be214f637ff009b6d4f2a18bc739

    SHA256

    ce7e660fb06e01449a37fbe46ccdefa5058d75e08e7717fc2e23589b747aa5b1

    SHA512

    d7b56f1defe8c37eaec508d508385d7cce1899277f0d919d25bc0eda5419c212104da43886e84edf9eedd780e2853018c11aef46ce3cb36e04d71de704919e28

  • F:\autorun.inf

    Filesize

    39B

    MD5

    415c421ba7ae46e77bdee3a681ecc156

    SHA1

    b0db5782b7688716d6fc83f7e650ffe1143201b7

    SHA256

    e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

    SHA512

    dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

  • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    488KB

    MD5

    d456560ba13e6f1da5f4b5d56153f5e1

    SHA1

    73e11d31ce22957ad8baaf39045ff4862301c667

    SHA256

    edb89961d8bc3c2f5d5fbe1ee5e181bdbaf10e9c4a037ce1b73428070e5074a6

    SHA512

    995871d21dcb04e8071523759b66559c55bbb32a18da22ecce0ccf9cff188906598d7ad23a67e3c2c96dae86f9e3df351747df177c23ea3e8ab3cdca6d6c69c7

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    488KB

    MD5

    f043081ec0e51fa7a478d11633e5e2b5

    SHA1

    548d6177d988a99bc09df5d7f958578f31318bc3

    SHA256

    5f969f36b31fe72313c10311f0a71d2d0917ab0af743a5317217e9ba95262a7c

    SHA512

    5740430b6cfc9373ff20e8a636f754178538f1a2a7a86e8493f2216fcb6b592fbfc88d50d592e59d18ff6be1fdf6b7580c614f699530ce66c31bd56da8604251

  • memory/316-453-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1488-423-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1524-280-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1524-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1524-179-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1760-342-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1992-466-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/1992-127-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2152-273-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2152-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2152-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2160-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2160-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2160-283-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2204-456-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2204-457-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2224-222-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2224-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2272-467-0x0000000003830000-0x0000000003E2F000-memory.dmp

    Filesize

    6.0MB

  • memory/2272-113-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2272-418-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-178-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-126-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-98-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-263-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-177-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-221-0x00000000003E0000-0x00000000009DF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-125-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-112-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-337-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-111-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-100-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2540-336-0x00000000037B0000-0x0000000003DAF000-memory.dmp

    Filesize

    6.0MB

  • memory/2712-354-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2944-368-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB