Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
65fdbb4874824edbae3b8ddd9758f7f6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
65fdbb4874824edbae3b8ddd9758f7f6.exe
Resource
win10v2004-20231222-en
General
-
Target
65fdbb4874824edbae3b8ddd9758f7f6.exe
-
Size
274KB
-
MD5
65fdbb4874824edbae3b8ddd9758f7f6
-
SHA1
13fc501a38199ad1e58e301eccc72f08a490068b
-
SHA256
67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
-
SHA512
60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
-
SSDEEP
6144:2WC4YgB9Giy6WC4YgB9GiybWC4YgB9Giy6WC4YgB9GiyOWC4YgB9Giy6WC4YgB9d:FtJ9GiwtJ9GiztJ9GiwtJ9Gi8tJ9GiwL
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2564 Tiwi.exe 2904 IExplorer.exe 2996 winlogon.exe 2796 Tiwi.exe 572 IExplorer.exe 1376 winlogon.exe 2476 Tiwi.exe 1160 IExplorer.exe 2052 imoet.exe 1096 Tiwi.exe 1496 Tiwi.exe 896 winlogon.exe 1724 IExplorer.exe 2284 imoet.exe 2836 IExplorer.exe 2840 winlogon.exe 2892 winlogon.exe 3012 imoet.exe 2956 cute.exe 2952 cute.exe 2752 cute.exe 2636 imoet.exe 2920 cute.exe 2780 imoet.exe 1692 Tiwi.exe 1140 cute.exe 2800 Tiwi.exe 2648 IExplorer.exe 1148 winlogon.exe 1420 imoet.exe 2552 cute.exe 2676 IExplorer.exe 2064 winlogon.exe 2540 imoet.exe 1972 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2564 Tiwi.exe 2564 Tiwi.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2564 Tiwi.exe 2564 Tiwi.exe 2904 IExplorer.exe 2904 IExplorer.exe 2564 Tiwi.exe 2564 Tiwi.exe 2996 winlogon.exe 2996 winlogon.exe 2904 IExplorer.exe 2904 IExplorer.exe 2904 IExplorer.exe 2996 winlogon.exe 2904 IExplorer.exe 2564 Tiwi.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2564 Tiwi.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2904 IExplorer.exe 2904 IExplorer.exe 2996 winlogon.exe 2996 winlogon.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2996 winlogon.exe 2996 winlogon.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2956 cute.exe 2956 cute.exe 2956 cute.exe 2956 cute.exe 2956 cute.exe 2956 cute.exe 2956 cute.exe 2052 imoet.exe 2052 imoet.exe 2052 imoet.exe 2052 imoet.exe 2052 imoet.exe 2052 imoet.exe 2052 imoet.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 65fdbb4874824edbae3b8ddd9758f7f6.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\U: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\V: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\G: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\N: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\W: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\T: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\R: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\H: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\Y: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\M: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\S: 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\X: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\SysWOW64\IExplorer.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\shell.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\ IExplorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2564 Tiwi.exe 2052 imoet.exe 2996 winlogon.exe 2904 IExplorer.exe 2956 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 2564 Tiwi.exe 2904 IExplorer.exe 2996 winlogon.exe 2796 Tiwi.exe 572 IExplorer.exe 1376 winlogon.exe 2476 Tiwi.exe 2052 imoet.exe 1160 IExplorer.exe 1096 Tiwi.exe 896 winlogon.exe 1496 Tiwi.exe 1724 IExplorer.exe 2284 imoet.exe 2836 IExplorer.exe 2840 winlogon.exe 2892 winlogon.exe 3012 imoet.exe 2956 cute.exe 2952 cute.exe 2752 cute.exe 2636 imoet.exe 2780 imoet.exe 2920 cute.exe 1140 cute.exe 2800 Tiwi.exe 2648 IExplorer.exe 1148 winlogon.exe 1420 imoet.exe 2552 cute.exe 2676 IExplorer.exe 2064 winlogon.exe 2540 imoet.exe 1972 cute.exe 1692 Tiwi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2564 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 28 PID 1204 wrote to memory of 2564 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 28 PID 1204 wrote to memory of 2564 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 28 PID 1204 wrote to memory of 2564 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 28 PID 1204 wrote to memory of 2904 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 29 PID 1204 wrote to memory of 2904 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 29 PID 1204 wrote to memory of 2904 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 29 PID 1204 wrote to memory of 2904 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 29 PID 1204 wrote to memory of 2996 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 30 PID 1204 wrote to memory of 2996 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 30 PID 1204 wrote to memory of 2996 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 30 PID 1204 wrote to memory of 2996 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 30 PID 1204 wrote to memory of 2796 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 31 PID 1204 wrote to memory of 2796 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 31 PID 1204 wrote to memory of 2796 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 31 PID 1204 wrote to memory of 2796 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 31 PID 1204 wrote to memory of 572 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 58 PID 1204 wrote to memory of 572 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 58 PID 1204 wrote to memory of 572 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 58 PID 1204 wrote to memory of 572 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 58 PID 1204 wrote to memory of 1376 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 57 PID 1204 wrote to memory of 1376 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 57 PID 1204 wrote to memory of 1376 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 57 PID 1204 wrote to memory of 1376 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 57 PID 2564 wrote to memory of 2476 2564 Tiwi.exe 56 PID 2564 wrote to memory of 2476 2564 Tiwi.exe 56 PID 2564 wrote to memory of 2476 2564 Tiwi.exe 56 PID 2564 wrote to memory of 2476 2564 Tiwi.exe 56 PID 2564 wrote to memory of 1160 2564 Tiwi.exe 55 PID 2564 wrote to memory of 1160 2564 Tiwi.exe 55 PID 2564 wrote to memory of 1160 2564 Tiwi.exe 55 PID 2564 wrote to memory of 1160 2564 Tiwi.exe 55 PID 1204 wrote to memory of 2052 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 54 PID 1204 wrote to memory of 2052 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 54 PID 1204 wrote to memory of 2052 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 54 PID 1204 wrote to memory of 2052 1204 65fdbb4874824edbae3b8ddd9758f7f6.exe 54 PID 2904 wrote to memory of 1096 2904 IExplorer.exe 53 PID 2904 wrote to memory of 1096 2904 IExplorer.exe 53 PID 2904 wrote to memory of 1096 2904 IExplorer.exe 53 PID 2904 wrote to memory of 1096 2904 IExplorer.exe 53 PID 2996 wrote to memory of 1496 2996 winlogon.exe 52 PID 2996 wrote to memory of 1496 2996 winlogon.exe 52 PID 2996 wrote to memory of 1496 2996 winlogon.exe 52 PID 2996 wrote to memory of 1496 2996 winlogon.exe 52 PID 2564 wrote to memory of 896 2564 Tiwi.exe 51 PID 2564 wrote to memory of 896 2564 Tiwi.exe 51 PID 2564 wrote to memory of 896 2564 Tiwi.exe 51 PID 2564 wrote to memory of 896 2564 Tiwi.exe 51 PID 2904 wrote to memory of 1724 2904 IExplorer.exe 50 PID 2904 wrote to memory of 1724 2904 IExplorer.exe 50 PID 2904 wrote to memory of 1724 2904 IExplorer.exe 50 PID 2904 wrote to memory of 1724 2904 IExplorer.exe 50 PID 2564 wrote to memory of 2284 2564 Tiwi.exe 49 PID 2564 wrote to memory of 2284 2564 Tiwi.exe 49 PID 2564 wrote to memory of 2284 2564 Tiwi.exe 49 PID 2564 wrote to memory of 2284 2564 Tiwi.exe 49 PID 2996 wrote to memory of 2836 2996 winlogon.exe 48 PID 2996 wrote to memory of 2836 2996 winlogon.exe 48 PID 2996 wrote to memory of 2836 2996 winlogon.exe 48 PID 2996 wrote to memory of 2836 2996 winlogon.exe 48 PID 2904 wrote to memory of 2840 2904 IExplorer.exe 47 PID 2904 wrote to memory of 2840 2904 IExplorer.exe 47 PID 2904 wrote to memory of 2840 2904 IExplorer.exe 47 PID 2904 wrote to memory of 2840 2904 IExplorer.exe 47 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1204 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2564 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2284
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2052 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:572
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2648
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5a1515e2145e4a1e1d1dee07a7b9884ed
SHA1e81f5bdbb3610ac09a858e9c94737507e123827e
SHA25640fba1ee1098ac055debc2ba346588a1abc58419c0c4c186c7ba41b753382683
SHA512c86c7943b90b5337d7d9550cc5cc8a6087dea91247c2643fbebf1157b8ed347a649a160681c86a24755cf1b71b5490f0e6f484550e85326a31577f8b7dd06777
-
Filesize
45KB
MD58119ad941a12f4dc1f4a9828d3a94c9e
SHA10e7424d0f597bb9e2f36eb3a642768dedd8a7de2
SHA25662f54c698e0944f63a9ea8ef848da87c7ef7a90cdfa38567062c7a66b02bfb59
SHA512e886f4b474a8706209364107d4b0750a90685a6572d0be641e98d50be9f86da54494632befb4c239dd7db1ef54b8f84945e338568c1c49cdba48d3a2ed3c0399
-
Filesize
116KB
MD5d1caaedf7dcc078e5272243ea2755c21
SHA1fe99f058db9c61424da63c62f012dbb2f82f2658
SHA2564235da98bcb0d5eac4e8614e308a6cae55b464f29275abd88e7a39456966a846
SHA512b8a8f8ab92ed4a57447356c3983bb4b0757b56bb6af60fb1f4d5f49184dd02918e9ee874c2162cfb29e0eb36b075d907ebdf2f2333cabad76af0750c2a8ced00
-
Filesize
40KB
MD5e36f9d52ecd7f97239fb76641043bfcd
SHA1504f16b49e16dc97d81249e5731e36b29937b89c
SHA256ce8e7c3bcf18d2839decb2360460f166c6b69a62c375b201a7c01fc9b9d48341
SHA512d1ac15e19ce105710cde9fbd3bfe90f225ec8417ac590b0aeeaeaf40a73bae4a770561b12f11ebd3874d61d2dcc2acea9c63a4c0dafda378e396576dd68e5273
-
Filesize
169KB
MD5797f02b95cdb321406fc6c8a1e93fc83
SHA1a86fe1cc8ad30bcc6f2b85479157e8c4fba6f26e
SHA256c0c87a9ce674853f4d86e414bdfe49074c6409f6659ebc249613ce44484f888f
SHA512618075af3edd2cb55acc86fd4c4a5823e93c48522019a44b39b3bcbdc39a383c24c21b7df6a2d93d5730136ab363e799b11805191ff4b385e904f8833b3909e0
-
Filesize
274KB
MD5937c02a2f4fc1705d464f841440571ab
SHA1a641bd9d5651bd5c7d7dc3f7006bc950d89e6347
SHA25645d837b052b0ace5fd1ac9518029d1a54bad49d825235cbb381037ae68a5ce21
SHA5123a7ca1d14c79b906b339e288efdd20aee6b233d98d35350e09293aa424fedd7ed6e4dde7d17d83ecaf57b41fe404cf817ab35173c227519211164ee68a0df869
-
Filesize
274KB
MD5c09a1125487eaaeb148b70534cdbd484
SHA13e55a152f40a29bb43e5d96d2339b6850345993d
SHA2560caefc8a189ba2f8c1cc9f6361870a05ccaaa882904f6981472b729dae406089
SHA51262ef792b7d7419a23d2ec721c28147589e21a3168b132bd47f7881f8b8a24fb16d29510ca04e5777ebce5500c01cb56a740e8d733632f355598a251292af60c6
-
Filesize
217KB
MD5b7f4b9831e5319b67e3fffec007a2e4f
SHA1fb806b247ad05488e1c193d800796cd93d1fceb8
SHA256a502ea3855b869929ec0e802824a01724260da34b4ce249f912030405a7e9d61
SHA5128babd8ca9954e3609c0b13c9f3f4b91076f7d184825806aa625b598369bc86548a6fd40325b9e7fce5072db0ced95c500a441d323bbcb251d59272c22654ffb8
-
Filesize
45KB
MD52ef6d0776eaf1b1354400f54934fc3d9
SHA1ba07f6d2438a1bf1b6fd2e22167599aeafe5d422
SHA2565f66dc37c4315d8156a0af2f9c43c7f91672468b20170683ab6d5ca37845773f
SHA512074192140df5c2e19f62c8d42e20498c76fd246ca148de29ddbd41ad41d6756e599697e39401aba9a2bd98e3be22072c8bdcd5a4f26a8f4ae384c200a5549003
-
Filesize
45KB
MD58e07dcd7f47a5515f7fa68da04b2e16c
SHA172cde03721ab41e6c69a60e18b6e79bfda22eb50
SHA25690dd8449544083798d80b470f8aa5c82873d93147e4f3214f15faafe7ef9b080
SHA512b4e36f283e86a95fa730f5aa173a3502d5fd0e5c3d634afbb476e8d501c69b47c063d32542cae3fdbf0ee91b7f0ca8db2391aa4e74865cc4628e8f7a3248c961
-
Filesize
45KB
MD54a13daa8e597656281e6bc730524013d
SHA104ff5c3af82ff96cc6ac1ef5ade44608bb05e253
SHA2567a631158d9fc9e349fb0b87b67ef1e81571752bd81b55021ffcc1af06f427f91
SHA51254c1a125ad3b90c118d00bc0deb99fd684768dbfe02475b41514495da3674897563477b6f4efbba50fb72f990187f576730c8af6eb4c4816ec688216fc2c8fc2
-
Filesize
116KB
MD565880c4a980ee3d3c9cb68669d09d3f9
SHA11c3b47745d72de11c5d93f8486a7e237738da482
SHA25615bdadaa6b83e4768c78ebd99bb7d17d61c583fb0b1258bbb76a6ec6613eb3cc
SHA512bda4ba871e3b1972a5b7ceeca0e4a467258c84d44ebcbbbf7076405b448d94e75c84485042158871c4c806477a5259fdadd52a0e606ce8986dccf0e2bdfe6beb
-
Filesize
130KB
MD5c059c5e521847d7c84d613bda53c417d
SHA12d47e45c990528cd8c78e093c29517e7a9e2d9fc
SHA256d7e11d28b96fbaa043ba35adba1725fa0189c607776b84107cd821f887bda3d9
SHA512a49d2f5c52f232fb49442e23d6973dc598e999366474cf1fa04803b09c4d09d399f66f53769fadfbbb3026d9d96e03799ad5c631316a0029971b670344899ebe
-
Filesize
274KB
MD5c74068870764b20584071480e7bd0d79
SHA1b40d2cc244fa9f8d3396ef4730b9a1509a6c267b
SHA256711060259a5a5befaea31a95f16a6bf4fa267fa422c111ac6a695a9e846d2b3c
SHA512de23670612817606bf40b4b91e9bc30fc4994fd4963cb1d1a34ac9abce4ae8986ea98edae7b780d3909b577d4e0988a494256c30974e187bc684f4ced9b129d7
-
Filesize
117KB
MD5ce7e48dc7995ba5da358665880bad115
SHA14a09649e5f63938dabbd6a82388bcb2910211ffa
SHA2567b2f9ff048b0b006a15d6f4ae64dbe5d308baae4d51d28a60e722eaf4b1e9066
SHA512c3e8581b60fd681c31e80772f3f1820355d1189422f7b9e63ac7fcf1b9156ab3074ff94f656d006a9c90d8b7bc38dec078b0681d45ef1b0106f76b2f49dd480a
-
Filesize
274KB
MD591618c32d5b760a16ef0c5c87d743a2d
SHA16b6267ceba603ccde313c02e87f91f8a8e74b26f
SHA2566fa1e7ce49effab018c98f8fcdf08a66febfef1388079cf62d6a6d0b65a140b0
SHA512f0f2caf4a0c6def4e602dbfd40449a73f1a00345c8cd1ef896d876130fc80d9e650cee7f37e4b0d6300e271db16a126ff42759d87a11b4f779e3ece358f1ea42
-
Filesize
399KB
MD5436c295f145943b64388e234246b7650
SHA1e9196fe3fb0ef73a0fa251944e57c22d41f561e4
SHA256a1f8cb454f038d0459eba7a265bac79375f5e673efaedd934ec4bfa03ea64236
SHA512cf4e3147f7b903f7ab5fd0112036db93f919f4d7c47aae799fd7e04bdf0c42782daf00fe80ccfd68ba31dfef238065838fed90dc04ab8964b6e0238865c55518
-
Filesize
90KB
MD59fe05d709186f080e9767b3f1e77a7cb
SHA1ff9286c16666378fce0bfa9d84273ac75afcd73a
SHA2569019205f18f642930651c833013a35e46a79d1fc391ae44d81bbccfa52dd045b
SHA512149ae9f45284f51b99a7d33be157a9a3cf6bb2abdfb988637e226034cb4dffc6fbca55fc3e1b2f1e5883b0b7aaffba003c45b4d1300cbd5e77c36a0addf3cd69
-
Filesize
100KB
MD52972b16f826aec19e8da1a282fd592da
SHA150400cc2a57f308fa5889647fab69c32bf180496
SHA25631b0d5da2fa67fb84111c5872a0574b71ed3022c7766b1f262f832fd63532f8a
SHA512b3b9ba80d8d17c07e7b34dff649c3bbeb62e7b3ed4ba3eca0214928fdad84b50f6fb566168f1024cc798e75b23498004e59e24f0fc0e7658898d9bbf8f103440
-
Filesize
274KB
MD50dd8cd314d94cfad0f1f3d2e4de8d5b2
SHA125e786ee702998ebd953b89028b9ca6d471c55bd
SHA256504d66cc6d5167f73f31fa5130ab5c5228b0c92651729fc10b348c610de9835a
SHA51224223e39372f7001019f06d74ea2b932ba75d309d46343708998db458225a75f84c96648067d04aaaf1ac33dd78352784913d4c8a4ceeef3fdb72d68f1d2a38e
-
Filesize
136KB
MD58455a6359f78de91e6b0bf637631607d
SHA111268b8e4c88320f668cfb5f8bb68257bf5b05d0
SHA25661ffc661a171df73d36836251e8fa6485216d11591e9aee4d0dc60b63bd7c992
SHA512d6af0cc306399d3db02a6e5f7ae5d9b20b176403e449b6aa4add402cbf60f08eadd009e8313834e4990270065ae9dac3f38735a22a0580f754d7db15ac659f2a
-
Filesize
274KB
MD550a683ee38676c2d2597252078164e19
SHA1c9a0e7e840d15b4f813ffa807415c3424fe57975
SHA25629789f4f573a4f4ff1a1618605e7667f9a014b4bf5f64172fd738e7a51475c7e
SHA512b4108fa91ef232d886eacf085f31fd2d4eb36da72afc3874e6c41977566b8457d4cc336e11463fe897ef266ab98f83f5c5ed471aa68d5eeb4e31248b84e93ba3
-
Filesize
274KB
MD565fdbb4874824edbae3b8ddd9758f7f6
SHA113fc501a38199ad1e58e301eccc72f08a490068b
SHA25667c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
SHA51260435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
-
Filesize
166KB
MD58bae946b0dc168acc0164ee6e6e438e9
SHA1ca377cf98561e268f03e38bfc521ff4efb445a3b
SHA2569e24974ddafce7bbe2ecf42dc1f871666b8eafd2445fea07cb02855787b55de7
SHA5128135bd76389b613d3958907facfa30e7fa85b7f4cf9bc0f076772dd1348f5ce8e60268eb46de5930b821b458070eaea4067be77865681c8da0c1f947e1791138
-
Filesize
58KB
MD56c61b940c4911b0bf1ebabb60a3d5599
SHA1a91194505830fe3bb1e6866446e7109f515c242c
SHA256a8e840991d1b3d40f8838bcda230a340e2c8bd5691483897562a70a4ae2763ec
SHA5120007c65fc46dc16bf5ae141640115ddd741bb5de5d1734463fbfa8da691ccad0e24f0e7929d63ecc075fbfdf32744410f96a769bfd820636633ca63ad6f9e0f3
-
Filesize
59KB
MD5d021b315fdc330d4a37f8a581da1742a
SHA1d3eb8c0fa7871f52fa15751468b8802c21d961cb
SHA256d8c649e289ac98980d0854560eff0a127f9b079a3926194a110b38e4934c2e1f
SHA5126808e415ee9d14cefced19e783becf2bee9d916863752726549d6980717b4374ff81735a0618cad4e964f71db139ca0ccd0fa41e406d5397a9140f85efcc0c40
-
Filesize
32KB
MD5f93d0ce1f2f4021ffba0edad8c37a317
SHA10dd07de451a77245e8ae5102172f31f32ff67b72
SHA256ff1b7234f669d84e8df56c7afb0353cfabc19a91abb56fce166b355dd0307140
SHA512f3ec4165c141b23ea87c1478acc1d8d420058b1ea9822c9222643394325f583e84bd4e8b33b98548d9c0f2b410fe3176ab5b9462e7761d963c72af39d660ec7d
-
Filesize
274KB
MD56eeb0d26840cadb4dcddc8c8260a7199
SHA18fd33fa9ec2407e1c0df3b1084e3caa0bbe21fe1
SHA25683422e1fa2a6076c3bcafcb8ee34c6bd5cf26f5be32a49ea02ac8790b7f23462
SHA512b246f3a7cdcee93e68a6034c62e3a78d6c1b78ea05be99b9d5c9e18ef3828b52bcab353737ee25c751a698f8ee8abfa6c22fc74c97797045e70c0a3f176a045c
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
274KB
MD5d31470542e7311e0f2d6f237f064ec5d
SHA1c04aa0b3e05bdef0ae4d66dad2c80c5f3d4a9251
SHA2561da98bbf2d33a563750b245ef3e1b15763cbf5a36217c1ac15eb48d13a2c8e36
SHA51250fd31398e484feaa1cffbe3a71cb29611308b44f5a34a0a114ba0a06a1a5b743d95f8ac903ef779299e4d8a60b4f63410a5af81b864d913bde77e784eea1020
-
Filesize
274KB
MD5b82b9410c08b9860595c70b7548ba2fa
SHA118aba6787c5b5c565155e93132bb439578583245
SHA2564c4f4e6363a3c9b3e7b6e3a15161c33cfa440ff75e87787869f198d4b2ddb797
SHA5121e2f5e3cab2e37499e931ed2fab37562f6ffd366a6d91083c462324a41194a54511acb9f76a39243726983974c92680a91a44d0c85cbfd706ae5c0ef0543d7ba
-
Filesize
274KB
MD5777ffc7ecc017cfe329c9e4bdaeb752a
SHA14871cb40c0f95ab1e4527889c73701b8ce55b56e
SHA256fa9d0957a54136ae5723c66d2ca56e08d62e7c798a9650206d2fbb4f87de4df2
SHA512c99287ca481b0c06faa1456a357e856c3600513aae9899c3253405ddc3b360e89d3979048fbd9370a3f4739e4973f1f5fc1b1d53fa8704ef75bd5ca48af4aeb0
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
274KB
MD55c564b592910d4c281a9affb5b2cf300
SHA1c5e2ab45149898db02efc1956bedd062639917f9
SHA2567080109237b3d0a698527cca78285434efcf443d82251bf027f9f433e8277037
SHA512b0dca032d58e3a4a98fa04b4e1cba640b4479fa0e13a4f7bf0bf0631920976ed69c0d0293224bb86092f22cb83043c0bd1f460bf375ed7b1ab774f2f4f5ee6ec
-
Filesize
274KB
MD517fb750d5c2737a5090154a1e13144f0
SHA179f25a73e097ce873dfbf74a13da7c264cb0b4c2
SHA256ef8d814c66ad6d7b5b010626a5cf553282879bf45faa69f56d5ff0b066711966
SHA5123f1f12543988e60875cc5ffe8f5325c8ddc4686ceda321df28e23289c63510d78c3e4a213588d95d00c1421a718eaf3156213ac946d078699eb8cac16e6c550c
-
Filesize
115KB
MD5b4931954fffc2888073236ee57ac1b9c
SHA1adb4ab37613d8ef472774ddd0c825a6fcc06be3a
SHA2568b8740cccd2a9819a85705dcb96132dc0337b0de833eb4e2bdca5072b325de60
SHA512cd575946350092bfbec360a3c97bf806b8525b3dc2bd1c78b51e06583cd0e8560bbad198351c40b8cdec6757b8a5920953fee970319ad19edd0681ed3292f4e7
-
Filesize
55KB
MD5cd705efc3cd32115ad9aca0e973e7fb6
SHA1545b09f4240a45758bb2a10a31128dd2df0d6d9f
SHA256436da9399e8d0d2967ca0b7cec1017a2377f6d7fb13fb5233f61912f1d19f4e7
SHA512fc2eeb520cd73c1e0110239372dd40ae5305403686b9ae584e8ce8c59415bd3b86b4ff0a542d791b6234e83b1cfc75c173e7ee3c36912d14251d65872ad4caaa
-
Filesize
72KB
MD5ed025aab105ba24356b62adc89031ef3
SHA17fc799d71b7f4e0a5525d54b7907fed4c32aff0e
SHA256bc9137a9caad1f9b1618be34b52dabe6fdf0a11d9cd22b51573854b6b5d84d17
SHA512d25f222320e5fe408d944d3550d5a3de83448ffda7ae8f2475c789ede049e0261fc1202072b7976e6be444737b2fa0ff02203eeedaeef0ec6f77ecdc24c076ca
-
Filesize
214KB
MD5d2e3df3e10321fdbc0b8dd04d7ee12c4
SHA160f4eb4fab700c8744cffe612df2eb2232205a8d
SHA2566f5c1dae2e26b258750ef93d23929c5f91b244e5923f7de32f5566641e447c2b
SHA5127097d73f68d9da02ebb3303d3532bc4321920aa69db4bbc47aa84e79749714d02f04dfabc8bf224a26f67cdb93818e8ac2f27d15b03af160841d8561ed545e74