Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
65fdbb4874824edbae3b8ddd9758f7f6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
65fdbb4874824edbae3b8ddd9758f7f6.exe
Resource
win10v2004-20231222-en
General
-
Target
65fdbb4874824edbae3b8ddd9758f7f6.exe
-
Size
274KB
-
MD5
65fdbb4874824edbae3b8ddd9758f7f6
-
SHA1
13fc501a38199ad1e58e301eccc72f08a490068b
-
SHA256
67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
-
SHA512
60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
-
SSDEEP
6144:2WC4YgB9Giy6WC4YgB9GiybWC4YgB9Giy6WC4YgB9GiyOWC4YgB9Giy6WC4YgB9d:FtJ9GiwtJ9GiztJ9GiwtJ9Gi8tJ9GiwL
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
pid Process 5020 Tiwi.exe 1784 IExplorer.exe 3088 winlogon.exe 5680 imoet.exe 3740 cute.exe 4172 Tiwi.exe 5992 IExplorer.exe 3228 winlogon.exe 6012 Tiwi.exe 2960 imoet.exe 3252 IExplorer.exe 2200 cute.exe 5380 winlogon.exe 3332 imoet.exe 4140 Tiwi.exe 3564 Tiwi.exe 4516 Tiwi.exe 1824 cute.exe 5712 IExplorer.exe 3076 IExplorer.exe 5208 IExplorer.exe 2988 winlogon.exe 5740 winlogon.exe 1716 winlogon.exe 5348 imoet.exe 5148 imoet.exe 4040 imoet.exe 5556 cute.exe 4116 cute.exe 1604 cute.exe -
Loads dropped DLL 5 IoCs
pid Process 4172 Tiwi.exe 6012 Tiwi.exe 3564 Tiwi.exe 4140 Tiwi.exe 4516 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\R: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\shell.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 65fdbb4874824edbae3b8ddd9758f7f6.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\ Tiwi.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 5020 Tiwi.exe 5680 imoet.exe 3088 winlogon.exe 1784 IExplorer.exe 3740 cute.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 5020 Tiwi.exe 1784 IExplorer.exe 3088 winlogon.exe 5680 imoet.exe 3740 cute.exe 4172 Tiwi.exe 5992 IExplorer.exe 3228 winlogon.exe 6012 Tiwi.exe 2960 imoet.exe 3252 IExplorer.exe 2200 cute.exe 5380 winlogon.exe 3332 imoet.exe 4140 Tiwi.exe 1824 cute.exe 3564 Tiwi.exe 4516 Tiwi.exe 5712 IExplorer.exe 5208 IExplorer.exe 3076 IExplorer.exe 2988 winlogon.exe 5740 winlogon.exe 1716 winlogon.exe 5348 imoet.exe 5148 imoet.exe 4040 imoet.exe 5556 cute.exe 4116 cute.exe 1604 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 5020 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 83 PID 2712 wrote to memory of 5020 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 83 PID 2712 wrote to memory of 5020 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 83 PID 2712 wrote to memory of 1784 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 90 PID 2712 wrote to memory of 1784 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 90 PID 2712 wrote to memory of 1784 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 90 PID 2712 wrote to memory of 3088 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 91 PID 2712 wrote to memory of 3088 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 91 PID 2712 wrote to memory of 3088 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 91 PID 2712 wrote to memory of 5680 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 92 PID 2712 wrote to memory of 5680 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 92 PID 2712 wrote to memory of 5680 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 92 PID 2712 wrote to memory of 3740 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 93 PID 2712 wrote to memory of 3740 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 93 PID 2712 wrote to memory of 3740 2712 65fdbb4874824edbae3b8ddd9758f7f6.exe 93 PID 5020 wrote to memory of 4172 5020 Tiwi.exe 127 PID 5020 wrote to memory of 4172 5020 Tiwi.exe 127 PID 5020 wrote to memory of 4172 5020 Tiwi.exe 127 PID 5020 wrote to memory of 5992 5020 Tiwi.exe 126 PID 5020 wrote to memory of 5992 5020 Tiwi.exe 126 PID 5020 wrote to memory of 5992 5020 Tiwi.exe 126 PID 5020 wrote to memory of 3228 5020 Tiwi.exe 125 PID 5020 wrote to memory of 3228 5020 Tiwi.exe 125 PID 5020 wrote to memory of 3228 5020 Tiwi.exe 125 PID 1784 wrote to memory of 6012 1784 IExplorer.exe 97 PID 1784 wrote to memory of 6012 1784 IExplorer.exe 97 PID 1784 wrote to memory of 6012 1784 IExplorer.exe 97 PID 5020 wrote to memory of 2960 5020 Tiwi.exe 124 PID 5020 wrote to memory of 2960 5020 Tiwi.exe 124 PID 5020 wrote to memory of 2960 5020 Tiwi.exe 124 PID 1784 wrote to memory of 3252 1784 IExplorer.exe 123 PID 1784 wrote to memory of 3252 1784 IExplorer.exe 123 PID 1784 wrote to memory of 3252 1784 IExplorer.exe 123 PID 5020 wrote to memory of 2200 5020 Tiwi.exe 122 PID 5020 wrote to memory of 2200 5020 Tiwi.exe 122 PID 5020 wrote to memory of 2200 5020 Tiwi.exe 122 PID 1784 wrote to memory of 5380 1784 IExplorer.exe 121 PID 1784 wrote to memory of 5380 1784 IExplorer.exe 121 PID 1784 wrote to memory of 5380 1784 IExplorer.exe 121 PID 1784 wrote to memory of 3332 1784 IExplorer.exe 120 PID 1784 wrote to memory of 3332 1784 IExplorer.exe 120 PID 1784 wrote to memory of 3332 1784 IExplorer.exe 120 PID 3740 wrote to memory of 4140 3740 cute.exe 98 PID 3740 wrote to memory of 4140 3740 cute.exe 98 PID 3740 wrote to memory of 4140 3740 cute.exe 98 PID 5680 wrote to memory of 3564 5680 imoet.exe 119 PID 5680 wrote to memory of 3564 5680 imoet.exe 119 PID 5680 wrote to memory of 3564 5680 imoet.exe 119 PID 3088 wrote to memory of 4516 3088 winlogon.exe 100 PID 3088 wrote to memory of 4516 3088 winlogon.exe 100 PID 3088 wrote to memory of 4516 3088 winlogon.exe 100 PID 1784 wrote to memory of 1824 1784 IExplorer.exe 99 PID 1784 wrote to memory of 1824 1784 IExplorer.exe 99 PID 1784 wrote to memory of 1824 1784 IExplorer.exe 99 PID 3740 wrote to memory of 5712 3740 cute.exe 118 PID 3740 wrote to memory of 5712 3740 cute.exe 118 PID 3740 wrote to memory of 5712 3740 cute.exe 118 PID 3088 wrote to memory of 3076 3088 winlogon.exe 101 PID 3088 wrote to memory of 3076 3088 winlogon.exe 101 PID 3088 wrote to memory of 3076 3088 winlogon.exe 101 PID 5680 wrote to memory of 5208 5680 imoet.exe 117 PID 5680 wrote to memory of 5208 5680 imoet.exe 117 PID 5680 wrote to memory of 5208 5680 imoet.exe 117 PID 5680 wrote to memory of 2988 5680 imoet.exe 114 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 65fdbb4874824edbae3b8ddd9758f7f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5992
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4172
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3252
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3088 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4516
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3076
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5680 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5556
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5348
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5208
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3740 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4140
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5740
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5712
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5b72805c0ee4dda7a3de4ff381ff12e6b
SHA11bd9239d6d85e4f81f0815d2627636639985c3bc
SHA256633167145a2b779380d997a99168b0e504dc5ff967ce1c10f779e41d2b5fe52d
SHA512deb099e6d917c7bca536870aacbbcbe91f22bdddd57856bb5aa5494e8375585b9b524f28e31de2c8bf86549c433dfe0f83067715a63a53afb3c5473afbefc743
-
Filesize
274KB
MD578bde41146ffdac20a7d875922d62e83
SHA1c93147bb3ee3f1e4dbe376e6039cbb80ad9f9841
SHA25609cf2990400eaf43202998fcca0ec927eb9ed71f096f8533b97514ff48451f81
SHA512dd02d4f4260a9180d2b9a3d2abbc3dfef50046b36283620df0828c7641fc163211f22e380530c9196a34eb6bab6a96263661116992ee9b4eecda1c18c8e82a92
-
Filesize
156KB
MD5ddc83e1ec8b779ed4ac589c5b9cf0ed1
SHA169826765cabe46aa4f3864b56c8d3aa34824e08b
SHA256d4fbb5a296cdbb3090eafa273d101b77b6c20ca3d656d86f0d8499fd62d77809
SHA512be8c6ced7ebf9fe9980cf2c3a1d6f99e3feafce611ecb70772aae2f18b4419fb382b48dfb9520bfe6eca330ec13dacace61d2b36e556b011c0ab8f5817fcdc3d
-
Filesize
45KB
MD521f0f46228aee919c8b87e3daddfa001
SHA1d9327c8e80404882527f6f32a51e754d049e4746
SHA2569a4ca68517cafc532c93d53df753fc458f72e343943b1088d124c8fd45e3c5bd
SHA512d7502a6023c97aae412fe4a007c182bdd47bf634c2a7e69a043d00c8c819640b514cd27ee66d75e86581dfe855211caa1bc58d8b8dc73fcd0435931ba782556a
-
Filesize
274KB
MD5c3e3bc10b61938fe71bc42b07ae885a3
SHA1a487faf7751f244108b967393a483b0a7aec0824
SHA256ee08725423c07c7a51a93571da52eaa017af6eb84265ee2f9434b4e6ee5744cd
SHA512503961c20d9fd9bf9567de7b1984c9f1a304278c32fcb3cca82beaee2cd4c1fffdcd308693f2954162162409198955ba303779097677827c78c4255c0ab59852
-
Filesize
159KB
MD502a7a0ca1a522520866121651c934800
SHA1f9e6de7a302de96935d927d463ca8c6d594cfeeb
SHA256a27c47b4943bbaa035f2c528e9d57af743807aea8a83ab2448210b60ab7542da
SHA5124815e329ae516db03a71eb81d9fddad2c51bf974226af5939067ce5b51a413bf91c9658dbf3b34045e896dcebc82792a7394fc8ad70da4ed7ab130e12a56f389
-
Filesize
60KB
MD54da65c306a10b1387b039c9b8937a7c1
SHA12b525a13a9478476f3985c3f1fde30315d340437
SHA256f0a37f7813c4747569eace4e03015c2497225c384ba2d636b347955d7012f99a
SHA512cc2c29712f25f81c5d62395abc371243bc58014f88f3456992bcfcd27dc68117831190f9818849c884c97269a3c2e1781ec15c4aa5dcce504cf7ead7452f7092
-
Filesize
241KB
MD55ba77afa9b08468090a672dd7da7617a
SHA1729a8f707811a2610d5f5b01ddca26746fbdb311
SHA256a51bfbd02292e40e19cbc39e5bc066d281ceeebebb427d955491df94e09ca534
SHA512069b61bb01b9c6e9657b3c9eb1a2da413002a48e1da4b931acbb4c6bc87d0b7a43e3c8d73a2758b35fa37aaab99b70de1c952613835719ba0610796bf9a4a8fb
-
Filesize
274KB
MD5089a728c8da4f6527db0fad18f8555a0
SHA10d3310ff83de9ea7eed3832c931bf414fb4dacbd
SHA2561163e776df2c32a4cbc775e6b5d6d0f03ec417ef7361d54da41f7f1dfbdfea96
SHA51230277b1a82017f3c5b8a1d0dad95fbca5f36227b17c5d449e51cfdc250a74c2988f63a5ccb5ec4871493f0dab6ab1dbb27e051029d081b6339cbfb3b32b6e77a
-
Filesize
45KB
MD58aa8406c5159718483ab3ff325631a36
SHA1856c471c4d150f69721d8727f016ccf35a509e7a
SHA2568ea020ea5e6dad17755786c593311c6c8f1abc565e05fa9801dc040f711133ef
SHA51256c4e3cd586b2d6d174c95b48c8dd077e6eaa21aed8d4d3846a9cacc0c3892532957dc874156e41c80224fe220b390423a0868563106b1c759f5254c0d17c7c1
-
Filesize
45KB
MD5af7e7a0c9896befc6a763b2b455e128d
SHA123f4f2eb81115dfa8f0069116d1c1b1e34793752
SHA25643ac92174c123c9cacbe022e14eb3ba82234fcc7a565d17ba789d184d1b15c02
SHA512bd67fd63d667eead122d97beed10732b5ec537014abe01cbfafa87693e90b539447b3edfbc72b6794f517daa71d9f0a55d847ffd343d9b44e0ec6b432ac8d604
-
Filesize
274KB
MD5a57c9b343d7f8c218e8df3fd9446d488
SHA14c56e6091b88334685f76faee53ad1433439e113
SHA2565640a3c64559dcdf35cf51e1c106ac0d8f7ce203b93ab649d41cb74175ff1053
SHA512a086e5690bc30d82f89d19ae0997ddd49cdea53cca408e5645f6857ae8908143f3055ad12d44dbff3acf89f74af7f427f80a6dfa5bb6dc442a33a29b2912bd53
-
Filesize
274KB
MD507b01a7e9ce8ccf30c38100c421cb4f4
SHA1d2f33e2788bed4730c569df72add203137a2348d
SHA2561f00e0f529f14df448625e3daa56c6a05bea2dadb3eb6867fe7fc8e6cac485cb
SHA512f0a6c2aa2c22cb79e68a671081abf01b840adb9934c12de133eb0d27b142466948fad135dfc4c39ec52affb9797ea2ce5565a377067f41104cb980ef312b0e90
-
Filesize
99KB
MD5a2defb4cf245bf055b7f6b04d100d54f
SHA1e05a98332e4920247ffa95344176f30ab238fc9b
SHA25622e01b69042263b5312208211fefe02c299fa08db46bdb9f3948421fff1e3813
SHA51249504ac329d1e22fc56bb6c4d8df3fc69aa462e1768f57ddbdcb4477df02f0ce5ae9d6f7543eeeb045cafd1f60f56995707d1d1b35d384f815de9dfc13dbd159
-
Filesize
1KB
MD59c2c57b293b6a2064a73ef2ad9c79d2a
SHA17b0cc6584ec9c1cb5b0e9065a30afc9b5a9183b2
SHA25660703aca0a843a2c305c490ad7295a6e1476ca9bed8367ce2ebc4cc961cdde75
SHA512820f7ba614ea3112f1be28ffff8a52735fdb052fa2b3668edb92dfa51bf742c7184983d17ca5329e16d2801027e51dd1efffe141543926c591e0e724183520f5
-
Filesize
63KB
MD5486b9388251f4ac119735cd55256c22a
SHA1b724aa8f30fa44097b5097e91770943a4e1b5905
SHA256ab206f6309b38c3a717d101c331f1f3d922c65f2363e223f852dc1d23bcde63c
SHA5125421d725f9745dff23da9ac5092a0e7c9e9789db922e378927a2eb6957345bde2d15d03f9ccaf84c34cb86f28cdcb5c9a319aa03ec8f493d9d9ca9f2e1ca5590
-
Filesize
41KB
MD5e474b3e4b68ca40a7660a3b6bd13a1ec
SHA1e603adf1cf558fcc25460cc516f7c33e286d4fb5
SHA256be8fedd9827b3aa0da36466356687fcc6ee317e70367ac3e598e33ae7ea21207
SHA5127584c6adfb812abba2dfeae1087eb974b9981447791f39b172eeee34d4750dc58f2150724013772eadfb015d32c451c7bb77bf746b40fc065a9666b02e27f195
-
Filesize
1016KB
MD5b7d3628c8c67829ffcd4990f08c7a2e5
SHA13336f9ca527d601b4738a3f21c12ea2de166daae
SHA2564683746ebb5c75e4595904ea6ea0b4c42207274b89e09755a69de8ddd1a77e3f
SHA5122a5b192ce426078091943cd20b1a64b3868869a692b693e8e4a94c1a5c87090cd91a2e41217b116b69e5ee52da26b3713585fa48b8b2777aa5275516f49e90b6
-
Filesize
82KB
MD5c041ab7aa542729904c745bee329c700
SHA1fa408b66ae1d4d0331641b501d858e907e8135b2
SHA25643cf50aa55fcba3637939b3420bd491c84bc996b3d0b456d13d71763abb10664
SHA5120cce4d5aaf84176b64039c25576d6b16bc3a316e9641f33b2452d1dc503676a938152a853f0b805938ca5fec5214d7bad4c96685f0dd924c676371cc2bc6f949
-
Filesize
52KB
MD54b188c935a831bdda4e8f171955cb3e5
SHA19885935debb7d52ce06ee6c1da848f502db54479
SHA2565fbf926cf4f9a2bda06f09c201592d96fac840688a8ae2c5174abbca41da7514
SHA512f2558bc88db5322bbea73ae6dc4a5562d1f3b9d1e2f418a64d195c7c7d3a57fc70ac738b795d0f0193eefa60368957cd2f8d107f59166809cf5ea84f7b4c2ce1
-
Filesize
17KB
MD59bfe73377416f860ad3ede60023dbd64
SHA1cdd1ff6964236c9d7d8bd5fefc720c2bd5e2e7eb
SHA2565d9330cb21bef986756899d85c9ed37f7de6c99ac40932b13c2b619a26bd09b4
SHA51249bc4deac9d09d192ed0e8b5d6e1dd78c83e7e4154ae8acf8fdc2857ae6fef73296626a6a31446fc19b0d3344b94e9ca5fa15d78c6753670b68b3af28e21f3f3
-
Filesize
274KB
MD590b7d57078396082669edf9f4a61091d
SHA173c4a3eb544c80f5bfceb4a449945a27d77aad13
SHA256d6181aa809de1f45ffa0afc5ecc48e8a4586c5980da8683fb2789fcc7eea87d1
SHA5124f4fb227a8fc2641d4d4053fa764bd36937deb267e9c116637e6972315558eadeb19b20a4c45dc7e5b474cbc5f313aa927b13a3212f2f5f169e15b9caede8094
-
Filesize
274KB
MD565fdbb4874824edbae3b8ddd9758f7f6
SHA113fc501a38199ad1e58e301eccc72f08a490068b
SHA25667c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
SHA51260435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
-
Filesize
274KB
MD5abfa388de013051ec30ce58910710426
SHA1d56da1b47f5f4dfa83162bcc131c71c56b5d11f7
SHA256110d9a39771d5868fc74978197a87608f8cb8ec09755cb234839d2e3407db884
SHA512175bd5e192d59aadebdb2086ddc7e26f18254a4c530d7fd2fc51819b8e8a0c08b8f1fdfa4e5a19d1f67ac9f44674d0a2a5e3a8cb6862a3443dfbeac69cf85c54
-
Filesize
83KB
MD52396421cd5abcfe6fa096a6352777861
SHA13bcc3ce2fb588fa5a03b760bb423c5020ed0f366
SHA256e598416afcdba77a78cd36401af82bbf37b487784ba07cc545aabcc4af49c17f
SHA512457e811ea942b8b5e906fbc8408c8c65bddc5499578078c6d0c5947c1e65d2e6e59a0d305fef18aaaccf0b5d5982d6eb48330fe58b37b2dbaedd00a847b089bc
-
Filesize
286KB
MD54f425a1e736c161e5143098502c45a54
SHA17eb3c6aff7ddc96020f462ba964e9b38249c6041
SHA256d5bba4798c3761b38dc69087b7ea0f5211bf81f01079a2bd77ef7d0085438818
SHA5124e6a150e9f11209988d63544267e3c67a7105ccf0ea5e05b7f5d8f114b9866926c3a973e6325d9d5d781b7aec4159765b7c25cda5ea679e23be8106e1bb262cc
-
Filesize
62KB
MD5b1011e99d51c04051e8672bc345322a2
SHA19450ff7d274c243ffc5dd3c35a3e322cc3c975fa
SHA2563c8b1b01a81c5b9574a9703a0a78e19ab63e62c3b21ad37e2627148f8d56fce1
SHA5120e6281afcbb10834267ff098bdb8cd7382ce71a360547509edfd0ced8cc4a302a5ade3e818a1b7786221821e84ba9e7d1030e541388ac1f12d05e8f85b732d65
-
Filesize
171KB
MD534879e0909f6e39386e45985bf77917b
SHA10424677dfefa4c0c138db18b027e559beea5c847
SHA2567918cc63b87abf546d66b2161043cbb21c8fce2e35a554b2765970245fcf5916
SHA5120bf5c3679dbf3da1cb27c488b34b8363167bb3b35f875e4a60a89f31ce19f22de0ef07ee4f4dafb04d0e2fd54add30d6fb2c2aa21ea3af5a338e9c139a890470
-
Filesize
155KB
MD57d368e5abfadd37c55c5e06fd41f0270
SHA123bec2d157b0b7c1fc4cf7af60cabed0d964a7b9
SHA256ec006948e6e2848b3679aa7d0ab9b7e9fb44de12e23bb1fbfd7999bbc779e3d2
SHA51211d790a546d1d4fcc3190bfde9a7d2ab7d70bdcc5131f3e7934dedc528acdbe1999161b5718d73d7f39ac361e2ef2e1f1de73e1857a371f031460c7ebdc5e75d
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
64KB
MD5a759b88d309b40b66a5f68fa69fd5707
SHA11ebad8344bfeac9274f2707555fc563083084da5
SHA25619bed01b32693fa46dfdbe2c50b895568045c30ad6781f12a3c6516cf2a89283
SHA5122fcf344c7dbad8605363dc357e434281c18cfee7b0c7c85a2baee6dc41d506f5662dc7b1733b311be19407ba46aa8d8c4c6cb12e0d07c2f6405f0e4fa513e7ce
-
Filesize
73KB
MD57c3c5788588c6f93348f4f84d2e38453
SHA15736dcf9ef1626396da2264aec74cb78b8ae94ba
SHA256992d3035087b79cc0966c07914c6fc40a8c8993f17ca4efd62d2490e42c4de2b
SHA512ab4f8049703ea1f32ef815e1ec4655e7fa9a2fc7463c04a955512b4457117af9133b733920da2dea20b56396a1ccb02c6cea44198cc5d1cf5616efb4ec5c7de5
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62