Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
74f76feb756e5f44d38bd4d94074226b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
74f76feb756e5f44d38bd4d94074226b.exe
Resource
win10v2004-20231215-en
General
-
Target
74f76feb756e5f44d38bd4d94074226b.exe
-
Size
789KB
-
MD5
74f76feb756e5f44d38bd4d94074226b
-
SHA1
cce797f369add6cedd736a084a2a8ee110adcac5
-
SHA256
186362bae3f7ec5e5c9f988ba0c07ef1b47cca565f5b78a4ca167ece37ebb7e1
-
SHA512
c6675ac65b4fd4060888feda42b9f29a0a740a959bd9b3bcd532768a3cbfa76f447579e6506a04ba4e760a7104067f044b70a6f038ec4e4b9232e77b256b97e5
-
SSDEEP
24576:HGi2Gi2Gi2Gi2GiyGivGiNGimGitGimGiIGiFGimGi4GiBGiG:HGi2Gi2Gi2Gi2GiyGivGiNGimGitGimz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
imoet.exe74f76feb756e5f44d38bd4d94074226b.exeIExplorer.exewinlogon.execute.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 74f76feb756e5f44d38bd4d94074226b.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 74f76feb756e5f44d38bd4d94074226b.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 74f76feb756e5f44d38bd4d94074226b.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 74f76feb756e5f44d38bd4d94074226b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
Processes:
Tiwi.exeIExplorer.exewinlogon.exeimoet.execute.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeimoet.exeimoet.exeimoet.exeimoet.execute.execute.execute.execute.exepid process 2196 Tiwi.exe 2680 IExplorer.exe 116 winlogon.exe 4488 imoet.exe 3152 cute.exe 1652 Tiwi.exe 3708 IExplorer.exe 4844 winlogon.exe 456 imoet.exe 2688 cute.exe 4244 Tiwi.exe 2360 Tiwi.exe 4696 Tiwi.exe 4880 Tiwi.exe 976 IExplorer.exe 4704 IExplorer.exe 3256 IExplorer.exe 4204 IExplorer.exe 2200 winlogon.exe 4792 winlogon.exe 5048 winlogon.exe 1512 winlogon.exe 4068 imoet.exe 4000 imoet.exe 1160 imoet.exe 3500 imoet.exe 3480 cute.exe 4856 cute.exe 5024 cute.exe 2632 cute.exe -
Loads dropped DLL 5 IoCs
Processes:
Tiwi.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exepid process 1652 Tiwi.exe 4244 Tiwi.exe 4696 Tiwi.exe 2360 Tiwi.exe 4880 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeIExplorer.execute.exeTiwi.exewinlogon.exeimoet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
imoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Tiwi.exeIExplorer.exeimoet.execute.exewinlogon.exedescription ioc process File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\X: Tiwi.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\U: Tiwi.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
imoet.execute.exeIExplorer.exewinlogon.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Tiwi.exedescription ioc process File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 38 IoCs
Processes:
IExplorer.exeTiwi.exewinlogon.execute.exeimoet.exe74f76feb756e5f44d38bd4d94074226b.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\tiwi.scr 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 74f76feb756e5f44d38bd4d94074226b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 74f76feb756e5f44d38bd4d94074226b.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 24 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exedescription ioc process File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\tiwi.exe 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 74f76feb756e5f44d38bd4d94074226b.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 54 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeTiwi.exewinlogon.exeimoet.exeIExplorer.execute.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 74f76feb756e5f44d38bd4d94074226b.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe -
Processes:
winlogon.exeimoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 74f76feb756e5f44d38bd4d94074226b.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
Processes:
imoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe -
Modifies registry class 64 IoCs
Processes:
winlogon.execute.exeTiwi.exeIExplorer.exe74f76feb756e5f44d38bd4d94074226b.exeimoet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 74f76feb756e5f44d38bd4d94074226b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exepid process 4256 74f76feb756e5f44d38bd4d94074226b.exe 4256 74f76feb756e5f44d38bd4d94074226b.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
Tiwi.exeimoet.exewinlogon.execute.exeIExplorer.exepid process 2196 Tiwi.exe 4488 imoet.exe 116 winlogon.exe 3152 cute.exe 2680 IExplorer.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeimoet.exeimoet.exeimoet.exeimoet.execute.execute.execute.execute.exepid process 4256 74f76feb756e5f44d38bd4d94074226b.exe 2196 Tiwi.exe 2680 IExplorer.exe 116 winlogon.exe 4488 imoet.exe 3152 cute.exe 1652 Tiwi.exe 3708 IExplorer.exe 4844 winlogon.exe 456 imoet.exe 2688 cute.exe 4244 Tiwi.exe 4696 Tiwi.exe 2360 Tiwi.exe 4880 Tiwi.exe 976 IExplorer.exe 4704 IExplorer.exe 3256 IExplorer.exe 4204 IExplorer.exe 2200 winlogon.exe 4792 winlogon.exe 5048 winlogon.exe 1512 winlogon.exe 4068 imoet.exe 4000 imoet.exe 3500 imoet.exe 1160 imoet.exe 3480 cute.exe 4856 cute.exe 2632 cute.exe 5024 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74f76feb756e5f44d38bd4d94074226b.exeTiwi.exewinlogon.exeIExplorer.execute.exeimoet.exedescription pid process target process PID 4256 wrote to memory of 2196 4256 74f76feb756e5f44d38bd4d94074226b.exe Tiwi.exe PID 4256 wrote to memory of 2196 4256 74f76feb756e5f44d38bd4d94074226b.exe Tiwi.exe PID 4256 wrote to memory of 2196 4256 74f76feb756e5f44d38bd4d94074226b.exe Tiwi.exe PID 4256 wrote to memory of 2680 4256 74f76feb756e5f44d38bd4d94074226b.exe IExplorer.exe PID 4256 wrote to memory of 2680 4256 74f76feb756e5f44d38bd4d94074226b.exe IExplorer.exe PID 4256 wrote to memory of 2680 4256 74f76feb756e5f44d38bd4d94074226b.exe IExplorer.exe PID 4256 wrote to memory of 116 4256 74f76feb756e5f44d38bd4d94074226b.exe winlogon.exe PID 4256 wrote to memory of 116 4256 74f76feb756e5f44d38bd4d94074226b.exe winlogon.exe PID 4256 wrote to memory of 116 4256 74f76feb756e5f44d38bd4d94074226b.exe winlogon.exe PID 4256 wrote to memory of 4488 4256 74f76feb756e5f44d38bd4d94074226b.exe imoet.exe PID 4256 wrote to memory of 4488 4256 74f76feb756e5f44d38bd4d94074226b.exe imoet.exe PID 4256 wrote to memory of 4488 4256 74f76feb756e5f44d38bd4d94074226b.exe imoet.exe PID 4256 wrote to memory of 3152 4256 74f76feb756e5f44d38bd4d94074226b.exe cute.exe PID 4256 wrote to memory of 3152 4256 74f76feb756e5f44d38bd4d94074226b.exe cute.exe PID 4256 wrote to memory of 3152 4256 74f76feb756e5f44d38bd4d94074226b.exe cute.exe PID 2196 wrote to memory of 1652 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 1652 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 1652 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 3708 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 3708 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 3708 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 4844 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 4844 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 4844 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 456 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 456 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 456 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 2688 2196 Tiwi.exe cute.exe PID 2196 wrote to memory of 2688 2196 Tiwi.exe cute.exe PID 2196 wrote to memory of 2688 2196 Tiwi.exe cute.exe PID 116 wrote to memory of 4244 116 winlogon.exe Tiwi.exe PID 116 wrote to memory of 4244 116 winlogon.exe Tiwi.exe PID 116 wrote to memory of 4244 116 winlogon.exe Tiwi.exe PID 2680 wrote to memory of 2360 2680 IExplorer.exe Tiwi.exe PID 2680 wrote to memory of 2360 2680 IExplorer.exe Tiwi.exe PID 2680 wrote to memory of 2360 2680 IExplorer.exe Tiwi.exe PID 3152 wrote to memory of 4696 3152 cute.exe Tiwi.exe PID 3152 wrote to memory of 4696 3152 cute.exe Tiwi.exe PID 3152 wrote to memory of 4696 3152 cute.exe Tiwi.exe PID 4488 wrote to memory of 4880 4488 imoet.exe Tiwi.exe PID 4488 wrote to memory of 4880 4488 imoet.exe Tiwi.exe PID 4488 wrote to memory of 4880 4488 imoet.exe Tiwi.exe PID 116 wrote to memory of 976 116 winlogon.exe IExplorer.exe PID 116 wrote to memory of 976 116 winlogon.exe IExplorer.exe PID 116 wrote to memory of 976 116 winlogon.exe IExplorer.exe PID 3152 wrote to memory of 4704 3152 cute.exe IExplorer.exe PID 3152 wrote to memory of 4704 3152 cute.exe IExplorer.exe PID 3152 wrote to memory of 4704 3152 cute.exe IExplorer.exe PID 2680 wrote to memory of 3256 2680 IExplorer.exe IExplorer.exe PID 2680 wrote to memory of 3256 2680 IExplorer.exe IExplorer.exe PID 2680 wrote to memory of 3256 2680 IExplorer.exe IExplorer.exe PID 4488 wrote to memory of 4204 4488 imoet.exe IExplorer.exe PID 4488 wrote to memory of 4204 4488 imoet.exe IExplorer.exe PID 4488 wrote to memory of 4204 4488 imoet.exe IExplorer.exe PID 116 wrote to memory of 2200 116 winlogon.exe winlogon.exe PID 116 wrote to memory of 2200 116 winlogon.exe winlogon.exe PID 116 wrote to memory of 2200 116 winlogon.exe winlogon.exe PID 3152 wrote to memory of 4792 3152 cute.exe winlogon.exe PID 3152 wrote to memory of 4792 3152 cute.exe winlogon.exe PID 3152 wrote to memory of 4792 3152 cute.exe winlogon.exe PID 2680 wrote to memory of 5048 2680 IExplorer.exe winlogon.exe PID 2680 wrote to memory of 5048 2680 IExplorer.exe winlogon.exe PID 2680 wrote to memory of 5048 2680 IExplorer.exe winlogon.exe PID 4488 wrote to memory of 1512 4488 imoet.exe winlogon.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
winlogon.exeimoet.execute.exe74f76feb756e5f44d38bd4d94074226b.exeTiwi.exeIExplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 74f76feb756e5f44d38bd4d94074226b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f76feb756e5f44d38bd4d94074226b.exe"C:\Users\Admin\AppData\Local\Temp\74f76feb756e5f44d38bd4d94074226b.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4256 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3708 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3256 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:116 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:976 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3480 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4488 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4880 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3152 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4792 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4704 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WINDOWS\cute.exeFilesize
230KB
MD5f12f12906d037ca9c73bd0fa74cc6bc9
SHA1b9f664c884f6bf8b907dd4a2bcaebe38acf95b17
SHA2560ec74e0ea8bad01c28b27347f24455475e465a14549a461f3d9d65df9188639e
SHA512512f3a1473662cd53dabed5f02db6f4a331c1e31f540e34769143f4d343cd19678674bcf40cbe34ac94715c37aab75d472fbd67519fa576932320141d3719992
-
C:\Users\Admin\AppData\Local\WINDOWS\cute.exeFilesize
92KB
MD52c00f82077b998186245b58972e822fd
SHA1b495f4db4b5da62e0695853f17cf843f7f089701
SHA256a04819c70e1b3b678c9d84b0f1238f45dc54aa85cd69e8930e4e25fe664887f8
SHA51239f8dc5ea03c364e784823380e402faa8f4616407f876f8e9f106c2bb624e9f3acdb5e90bd0e8851c72ded572fa4e8e2bc819e5a6e36f5103ec71d99242376ef
-
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exeFilesize
248KB
MD5568000559c97cdf9656fc620d19b67a7
SHA19c1309b3ac127e46eec5b62ad75c674045e3d248
SHA256f6a524798a923c1e7f272270969af71d02c36ef5d6b7df5d37e6041eac6b4f18
SHA512c64bfc86a0781c8fcda05f7dd4326d5062589c3ca8cdd1daf184d3560254a3809588821869f6078c67a4a4442471b3b88fded944caa1f8d39d926a43f4c6088b
-
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exeFilesize
334KB
MD50dffe2a2cd96b3a81895fd7cb2bcfb76
SHA1c627bf1e8ac71927f0ce8be085869dbe4b794963
SHA2564c3430a65ce4f413cd8f8945c5fd06bac486315aba2975c6697434a08a49561d
SHA51210ac33cafa5127100dfa6899acaad0bc76e150fd464c0016ca577fcbf3d79e39025693e2550628a5e0acde6c7ff2bbd9e2f375795ba5b82f101babfdb2b25f18
-
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exeFilesize
45KB
MD50d2bd98547adec6e1e3ba826768f27ac
SHA194b670d486ac20c9f511e0554a7fbad8dd9cab95
SHA2565cbcd7e1a1610dc16f2abfe85b6bd27f2a860f0095f5a8361b1051f895a70386
SHA512fa5ffd5aa3bb78b3c5b6ac8352eb6e1a42883da932dc8366b4c0e283c763704b8798fd90dac56b050f9cdcd19137a721b3111df7317501d6e981eb9203343a13
-
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exeFilesize
476KB
MD5b501ed77c73252eeeeea02873daac805
SHA113307027a82c517a6cf4e0209b46d7dab747ece7
SHA25610b0a7b1a8b7f80fd5a96374e2b0a596360a6160a6d0cd9791b35d47cd9dff12
SHA512365e1092cd64188c422986def8dc27d4a23393653c50d1eefc47ff192091aac992c2f5c21574b3a27d35b72aa1914c2fba91874f06be61394349f3addc05c13b
-
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exeFilesize
30KB
MD5d2ed1de62529ea2ce6dae158cd329587
SHA1cb67a41fbb46840bc1890d09dcf2679e494f079c
SHA256c403fe21a1d7a46c089bfdf3beb25ad3f7f07dbc4e8c45008da38b97671e82d7
SHA512f24d18288ae067e1f87fe66bd27ac13d5e3edecea0b51e7ad7628306f44648e14a4a4ae7cdfbf5ad12fccbac26ac5913f1def2202dab254591c8373132c267ca
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exeFilesize
141KB
MD59fffd6e5fa3f151e1d437a1c53aacb21
SHA1b2ec430528fb4c840a56807ff25bfc4b8b5f980e
SHA2565faded16bb24bb7f860dc0550c13bb9c3bde5c77617bf2cc27421f2d8289d08e
SHA512ccc7fce743816dfee23cfb28ed25aafb4d9e758db42f8eaf66fd713696b564851d1c752be10f4d942f30eb64014b33393b69b0bf684eaf2e8f824b920844799b
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exeFilesize
151KB
MD5e8f5cc7b2191648ca0790434385553df
SHA19a85bb986195be63d5e9236517f6f3bc95322a47
SHA256ab29457074960ab0864e75eeeb4b335193b698d79f6dda9ea5367d22b502fc43
SHA5127cab86a582df45731747da42228832fa6164cca32ccb1d34fc26cd7d2edb9f277b0ef74800d53a99dc6addf5626cbd3da996982da228add2f761a757d68832ed
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD5e061b5002ee636aca7a13565a31115fa
SHA15e48300653f32d0ec3ad56367bec942458119907
SHA2563ac0df377145dfad1ad41a43000e74d7b87b7bb2e66e9b6be70bad97aa9b5220
SHA5129ba4a1a5c167c29b6ab89f636f3e26ea830d0a4ab8371dc162f388f5eed3976a332624f5ef5a0ad9f71bbf9ef97740fd83ab652f92d065b82cfd13f46cd6aeab
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD5e2d72fd90a98296c9dadbd32b6e6b327
SHA1fe5161ab384dc257e97e0d56c04756ceeda3c0b9
SHA25633bed76585cfcf8f0038a1c33c244cff01bc506c77760fc41f0ca69a6090e24a
SHA51278d48426755572b51f45631a3de67bd6e88736329df41fe5816ed9ebd0ca347f404a359f23e9f2174fe51e7ab67fd0c1677f23e8fa03c6f6863f003f96e911da
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exeFilesize
549KB
MD540c4285d1fbe544e4ae8dd7bc0016061
SHA19b54424303690291f48230ebcc1966844d5c0735
SHA2569b980872657e54f290c23b2564f2eb622433fd434c421d6e8760fee774af2a9c
SHA51217367ffbff5bb5460db28abdfa1a2f1ea7302cb2882ff197fd13ddca952d8fba5d3107fc68381c637b6dd6cfd0fdfe8b7d4447e7877111080ae031b0af5d2a50
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exeFilesize
434KB
MD5a8c5a2cf702a21f2b82ce7e0de848d64
SHA1870253b8f13f59fd80ee46bb95108a78ea1e3154
SHA2567f4ee45bad00b094575acbc22a01d272936a007ee74542bdd065863fd896da22
SHA5120abe3d9f7399b54b560018bcfe13b050a9f879e59bedab303b5c37e1a7d2c1ca577bafca7fe5e4d5af145a6abd46f52cd367b22b1e4040c39aa55aea0141c95b
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exeFilesize
438KB
MD51a4cc52912a9015f0fdea3b142800b9f
SHA161d81cc4395816704706f27ccea55dfb06194f6d
SHA2566141b8c6fb006d241ca195962dea07c5137e49089797e4d064f5e227851c6aea
SHA512f8463b8b731d4644e25fe160f3a61cb0f63055934f7657210733a7538751923db8315bdf863a817c4a5fd0adaa95b5222310216b3990a4d17d4610042179a2c9
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exeFilesize
414KB
MD5864cdfa3cfcd51c62829761830a6a9cb
SHA1160dec768c5e37631f24a21f6567a4562d29c08e
SHA256df05494142655a74a54dad93dd548d6c64d779588b3002aa06e783e10cb6b7a8
SHA5126423ed8c96d81b152859487df1ad0fc24f35162f1dc31a95ab0b1a5ccc067e3afdee2f91f3aba35c7287d8f2b026db7bf700f39e11bf9ecf85f497d9794509d9
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exeFilesize
279KB
MD57451da4cf8de84b92268df935dbf7fef
SHA17f5e6cfd9a4acd4ff42f88b6d48d6e8f576f20ef
SHA25664ba587507cdee53ea965bfba93fd96f65ad0087cc2652312d9cf790750650fb
SHA512df1737552fba9d3e7981fad14b1b44f1ad8d8e03905c101d7204cf74fa162463ef823a39216add75db9abb1d5f4d35096dad57d3e72c76b42bee2edfad3ed77b
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
470KB
MD5320a0198c66a66a0a2c8f9997483fa8a
SHA1024846fa4543f39e99c472d85377c9b07fde5a71
SHA2568bad5e34f26ada87b3496c91f080ffe90e8f4996132fe27518e80e86dbe973aa
SHA5128d662c73afdc9bac8461ab29f6e81b91cfa1a2d13da9ca22edf9f48d89ade593c0b28e2b0f84eb604fd7451d5c9b5f8659702f5be0de106efdcf53a00e227fc2
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
31KB
MD5b2bd525291ff46c46125c5fe6377ae66
SHA1fe8e76f6f2bc2a6d99890cecb7a661beeafd6979
SHA2566ca738dbb02e23ecc966f01c88adeeffefdd91856151898957a02ce922d07e2b
SHA512673be5488bc2bed626eab0192a4395ee64afeea4f3dc037ff992d2ac3a3b5fa903cf3f8bfdb5e844aef258e328042104b1d49ccc25ca1b001f1bf6efbddf09fa
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
383KB
MD528b222f2688a2502de989854482326f3
SHA10079774d27b4e78a693802a4fcbd97689c4d157a
SHA2563ef88eaa84b469ea5c3ecda642226d36b1a368ba3ebbf4a980b2041786a396ba
SHA512aec7612e1f007a30ae92ed7a0a783e8b1a9f3e9b581f81f1704becce0cdc8981fe7e3a1f68d5ee57d7d03a5a7400f6bd7c951bd5e9aae382ee14df18a360f68a
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
344KB
MD5f4e7fd74a10f891492b524af8c6262c6
SHA1522f3d6775fd2f73c95c0ac6259f423ff1698f7c
SHA256582439f295a58de67ea543fbf5ccf8776180f2b668cb429935140f36c5ce5d60
SHA5120e595750f600f0d87d64aa368ee090e48468a117a86102bc35ef0beabe251021851aaf21fb671b47bcd33b516e8fe9163bb0ecc4c0570a28532ccc7d3ba77363
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
310KB
MD57e7e987be91e1b43431e44ce431950cf
SHA11be1cc1539160ac2413dd8bb9fc6fb4583b300c9
SHA256b326964774fb2a5467dcb18345c7bf4e842bac76c1698f4f084e159011d64fd8
SHA512a768c914cb1ca3fe4fe06a04db288db8c6cf9b290848dcd7600a2c5cb87384610ef9f86cc874152e10e2dfbadcad370cb3c5aa6b79d2d81f5b44a4b82bcb10e1
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
281KB
MD52e3e09cb12f61be4c382b20cd6d6a419
SHA17096f4097e5c54d97f4ee1ac55a8887439af6012
SHA25635af1d3ebe71671586ba79d0c82bc2fd5960a312919129acb9c3aeda899693cc
SHA512c0e35e7256c5330c468fd1b31889720da89ae7f6e6690c250ceb40018389c9b38d3676a45d6ce1ccf3173a292fa677e7a592a7d1cbeb9a22d910083cebece387
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
382KB
MD5dcc9fc77e58243b4bdcdd3d73a2c0ff4
SHA16cf053d724d2567a01b692451d6daea2efebfa85
SHA256cd08fda06025f0459dfc2f0cb3aad7ae6b6add1311c93f8ed497834b4487053b
SHA51253ce0df913be47e16fe569a7e99b64682ce53169ac4385bdbed38afd8b11a1bb167096d42f8e2f6cbeb26f3de88b88cb37dbc74e129c154eec260657f70c0faf
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
136KB
MD5ff02ac91ec720cec86d8939bc5a6f683
SHA1956c41384fcfa016769d076060dad691369ef5c5
SHA25668c53d14c5350f5e4dace45380509667d6b12ce9ec46f4ef2d5ed97df35db10a
SHA51231b25ea21932df9c01154b9a86570c56a3a3856aa545347bd6a5867ad6feaf454de812c67a35a609135bfcfa0bf8e5841ba14962c6660b52e5841202ef72e7c4
-
C:\Windows\MSVBVM60.DLLFilesize
11KB
MD53ba701d168d48cc282d21fec5aeacdf0
SHA15e9acdc456b7e39cafa460d0e54070cf0159d395
SHA256ebd24721dc87dc84552558fc63816e3cdcf6c978d817e1f9cae51cbb6de1e4d5
SHA512d86a9f9ef98bf4db99dfdef222066047b13e6054110864c38fac3c3b65c3060bdc3126521098ddd7998dd001526527abd77c972896d3a3efcffb90a7ea1e285a
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
282KB
MD5e4353cde7aed5803ae3ce9af9b0c8883
SHA132a5331687a83354ea8ae90529080bb1ae0c6219
SHA2568abcaa6198d15000163a1eb23e00817814f405e234b0ddee998518eedb393e99
SHA51206f90a6093d010ab1c5d0857103bd98e52b96ae69c2aa803688de6803de8454a0be7caef5586df2a5dbb002833f01bae38d6c744148b84dfb3c2ba899899b97a
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
469KB
MD5d5b48a4fea076ca5e70ffa62c8f19dde
SHA1ac14ba63ed117fed8c645d07a843fdf997efe3fe
SHA256b8b69d97b3e4f54d96949f480e2a5b0389dce0283fdc07443d0a7bf3c7c71a8c
SHA5122db6008bd4f0498c8552fcf6ddd710160ddc2a22db4282b2d18a19ef993fc973aa90732ab6a1dcc3ab9130096c4abf89c9ca23eb94d9d361058eb61c95d92a81
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
27KB
MD52b09e044405a792a66b8f4876e54638d
SHA17d91cd628f6508b68d0cef45bbae07a83b4811b3
SHA256db4c7c49eab27e6af74719c13d0b234da4f95775e5de2fd4974662bea63f11c5
SHA512fca900f7f1dc5c57c3db8d9bc247a81f13712c6efd8c0c9bf79e00c7b1028ece74436d3311cd3619cd99fcefa68a812925294a0079f9994f36f9c6898a72884a
-
C:\Windows\SysWOW64\shell.exeFilesize
688KB
MD5529012929e355f8928105c0e45f0466e
SHA1acaedd1da77c396da1df96e306145f3a3018b39f
SHA2566eb095ee658357af377d151a6b8f4f89af1b672c24ea45cf0566db83bac9cc92
SHA512903057c46bc6c0d6736172e22c82dddae800b8c8b69301500d6476bbf7a0b6101d943640973d8551bb84b3023218bef22f096109fa4c990eda50f88794848b44
-
C:\Windows\SysWOW64\shell.exeFilesize
176KB
MD5e3d493fdd57fb0dd47489d4521a96b24
SHA191e86f653c60a764b8c1d211cd58eca0c137323f
SHA256993720dc2bb31d5dc5e48ebe3eda4eadf569a27fe0e531e7e2effc276ae42f47
SHA512bbbb2ffc1b2a1ec8ecd53b8768d9e37605bc9ce93f414f3122daaae364b1998fe134013d944c63ceb8658e8ff74f74e173744aca95deba757055235d5b9802eb
-
C:\Windows\SysWOW64\shell.exeFilesize
286KB
MD5c803e524d4e3c3477a27426472bf5fa7
SHA144f6e59c1a7d4f7f35ddc4415c93903b5602ed60
SHA256a9fc336ff5e148cdc1f2fee26ffd9397a8f5b55996c539799ee3fd03679575d9
SHA512583dad80c5215af5f7464461ec95dd8bd9ff62b8e174fe8338576dc67796760134b2542d11b53efc8d31499efe7e99d523eaa5203d7d5dd60a8d617558c9269f
-
C:\Windows\SysWOW64\shell.exeFilesize
459KB
MD5f09fd8481ffc70a21221ddc1d366ccf8
SHA1c9abaa788f3d19668596a332da09dd8bd1262f52
SHA256a509689b0073aba0b89869e701c0ef21a349f5b15dd6446d5629d918f833d09a
SHA51241e13a347844aafb9794135af9f50a5ece3b57dd4ecdc3a3dac66f8c6d40d32d6f46169ab94df9942779c15935168358971ce433cbdcf5a6f96faa5b2be30634
-
C:\Windows\SysWOW64\shell.exeFilesize
319KB
MD5fe9d281ca1cc75c2fd0a50e55f93f0d7
SHA1a39d8368ca77af5970a91d9470d3f0693c1ee3da
SHA25654d39158ab3e02fae5ad2fea5befe42a91bd1dfdb2db205fa6752e9cd91dfa3a
SHA5126996f6ba5291b35e008c79cb6055f8005133fa81671531cc1f5bd669a635aac9c236895a82305b21087875a905d180403d8201affb54bf6a27c105bd7dce8c46
-
C:\Windows\SysWOW64\shell.exeFilesize
371KB
MD5f17d53f22def71790db6ae7b2a8d4c81
SHA17e71c273e288a1e9b1616530115adc6557b28f51
SHA2567b35a991bfe1836dd6a9d748044d8cc4a2a80f08efdd720fc5329a10cd3329ee
SHA512ffc6d5b982b0ded0efa82cf9acd971c7c4cb323b416f28c21403d26dbfc187864c4f71046b7ee32ef26a730408c0d8075b72286babd2eacb7ab7e5847a8bc33b
-
C:\Windows\SysWOW64\shell.exeFilesize
275KB
MD5e9d7d10e14733302605a38f8b41dbc2f
SHA125ddbf840d36472452fa39778fd8fe49d67ae9a9
SHA256f3e5308f3c76dfc61a78320029f220e90f1350187c53872d2fc6dbdf68abffe6
SHA512da063a3202435275ce523dd6b2c37c3f253e1ddb53f7cb019868409c5b6291185d7f3916264430a8321c9abe6a41b41e0398d60bd5eb42ce3465186ab1051aa2
-
C:\Windows\SysWOW64\shell.exeFilesize
400KB
MD57d74419ffb680c954181a63cf07072b1
SHA1946f6ee57a04902c5a2a292db85e023e799e616b
SHA2560d8f313ed5da6299886b738d663b659a16739e3ac6110627c12b4556e15bd0fc
SHA512d0231b423f952fb9919b004861c5a45b0de3bcbdbd1f7069220bc5fe803d4ae6500e83a47c49e16297da83fe4104147c47114c4b9d6f8fbe732296b38dc40642
-
C:\Windows\SysWOW64\shell.exeFilesize
253KB
MD59f6fe26590a8bc07325f4a5df5aa8a52
SHA13aed8737994f307b2c60a6faeb49037885998232
SHA256f0ddd4ca7970d929b1306537d0d39d142df9d16979b26ab16f5916a92ec1dacb
SHA512bec9922c32bfa9de09eb58cde1625b9813ce98c59f62da577306ecd7c78c5bff03f113d2a411370bf04513a145fbe0af61796432993b8553d80d43678e55725d
-
C:\Windows\SysWOW64\shell.exeFilesize
789KB
MD574f76feb756e5f44d38bd4d94074226b
SHA1cce797f369add6cedd736a084a2a8ee110adcac5
SHA256186362bae3f7ec5e5c9f988ba0c07ef1b47cca565f5b78a4ca167ece37ebb7e1
SHA512c6675ac65b4fd4060888feda42b9f29a0a740a959bd9b3bcd532768a3cbfa76f447579e6506a04ba4e760a7104067f044b70a6f038ec4e4b9232e77b256b97e5
-
C:\Windows\SysWOW64\tiwi.scrFilesize
623KB
MD5b7570270f1e4817a4fcf1aa6f501d190
SHA1ae8d111f22101284f19ac8d0c41bf382ff1992d7
SHA256e2dd758c582de1fe47cad86a6e6a558cf3a243283eede23a2e1b131aa15e3d28
SHA512a6d332af0af667243a29ca0b06b264cbf3a00f2aa51886889c373b5b21bcc453ffa1ea5cb6180c7e22dcc19094935da5d6087a021d66e5f4b2099f7ef8d149a5
-
C:\Windows\SysWOW64\tiwi.scrFilesize
464KB
MD5f770844822e7908b40450385ccb4fc2f
SHA17d1c4512686afd89ecb2b1987d187155e327df80
SHA2567f57fc6eb2d32bf3e4dd702cd790915e428c61992cc8d62dbec56bfdac1164ed
SHA512053d364ad09941e46f1f9f715f9a5b339c3da8a063e104f6baf6d36df5e101c81ae4e43e24014ee19f1d4d4fd5149655933097452f52a4250c2b4a5850deb023
-
C:\Windows\SysWOW64\tiwi.scrFilesize
300KB
MD5418d219b82672e9ff93236d4739d1733
SHA185d56ad4e3af2eb6905a0f2b0ffdff2d295ee05b
SHA256339f69c2e56f55e0241168e40634b7aab8c3b3cae6ac0b567398e8f985adada7
SHA5129bdaffd2a367942ba07470017806eef344c11391e088e19c81770945c0e437a0febbb44eb541c4a9dbf1110d15713b819b470bdcce40601c0831b0d55e3884de
-
C:\Windows\SysWOW64\tiwi.scrFilesize
424KB
MD5e5315e30f5e42b4bbd65ac9feb6dfb8e
SHA1b177ac63e878c02d06dd257886af64789b0376ce
SHA25672bdd6dac50bdda34e3417eb71adf99aa10c3c42d767751ce05538dac540a896
SHA5127d378130d41011ad36214992f5fb43a361a9041911d9010024f687896c9a14dda68bcde2237995a3a6b946a823b9c4535be5dbf80f8a4a1c9e359ec57fd27161
-
C:\Windows\SysWOW64\tiwi.scrFilesize
341KB
MD51339d78686c55a7556aafb3cdaac13f8
SHA10948ad2fdbd0d37fb36614453d457e41d6e70273
SHA25652ff32f928fe9e69fa12e024328e5a204ebafd96736601dee926fae16e190022
SHA51200c0726e7e0b936b337dd3e3b834e4712281eddd2f64d934037b81e7936097920cc2f80e56823887c95af8fe0d7ee49663a090ea8e4175ee0fe6f854d2ca537e
-
C:\Windows\SysWOW64\tiwi.scrFilesize
228KB
MD565f3ec8b50e92196e19cb0aae51a6982
SHA176c7fb735eb72c57388746299c5c03a6f3476173
SHA2564d14c8db810ba896c85bcdef0c34afc5b972cdaefbdb98fca7c19818a60c531b
SHA51278fe8f579b7a5dc2d86c5a68f418c9c27eae420edbdff24730fbee38363f46c36acd70b1f609cbb48294e143c5a409f29b5054b13f6a3c4dbfa95fe363466317
-
C:\Windows\SysWOW64\tiwi.scrFilesize
331KB
MD52e201bf06498016354701a935e45e833
SHA1c7ae08e386039f161de85f732f2ab994f3522ab8
SHA2560e879a8e7b0fcfd6b5f8d43253b37357ad8b6e2a965a213344824e3799d1d56c
SHA512bf264b4637abefd7887d2563abd931e5b9d56fe4e081dd2048b1ade552083b273874353bd13fefdb3888f16e6faee649c0137a669eefd8b0c43209f588085246
-
C:\Windows\SysWOW64\tiwi.scrFilesize
476KB
MD57e939c33c2a22f9ed27e63f66547ee9a
SHA10b45b7776fa4b27d3a5eb05f8cc05ac8e286e27d
SHA25642b8f565f033055bd3d81feebf287cbe3e043c95c3155f078698ce77d2da645f
SHA5122ae29aab38653ab876d8dd41a59ef3ebb52109dfbef60556d572c41ec85e1b13687833d3be1c46be1d7ecc5b7838ae277d565d2accbcc371c70f62a7d47a2c66
-
C:\Windows\SysWOW64\tiwi.scrFilesize
377KB
MD5efce395f4f909e28a796139f0fceef5e
SHA1279dbdbc651dcd69b8afeaa626a9bfc3ac933173
SHA256511e19449b148682ef9513b9dce9b84878d0dfc3a471b9f27c0d913d4cbfb427
SHA51283a04df8afb1333aa33700b42923cb66e5773ebf5c3d906cc5a52fc60ce61cc4cf97af742d2a0dc9979a743173dbd27aca0cdb1a9caf01cdadda499c995f0db9
-
C:\Windows\Tiwi.exeFilesize
535KB
MD559509c61aac3adc6f24f9e27daeb0abf
SHA154655b4210e88c8df18065f4f27428e45cb634d9
SHA2565f53c699a05ac0a5713b4b22191e68e02681d3b2bf7c0a7e77ded99a25bc141f
SHA512c70346f5b429748c9dbb26c21818740c63762f4fcb1217bf8ba84a723e35eadc26c9f3dbdb714ea9d71de26e96999ee3c7cb0a7192f55be7f3bf0d358ab5ed82
-
C:\Windows\msvbvm60.dllFilesize
790KB
MD5d0e6cb7037e0e67286c83834f1723453
SHA1eb1c83f3b76ca7da1d560d20b3cded4da37ecc3c
SHA2564e56db49f8f17a2ccc5b51fcc4639db5a5732820ee3d1664554708f940ab0d5c
SHA512a1502a1d033036de73dc15a5e120be9c2515a44d41e168c18e350d144c8b281c9f9ddd0513e19cdc06c5feef0cc11f304c8dfd59c489a82b5057b74ec98d45d4
-
C:\Windows\tiwi.exeFilesize
545KB
MD5ebb33f0df74a27536754348c6b4a649e
SHA12e59b165d540a0b3e878f4870202acd26eb668b3
SHA256abd038e4eedf757f1b6dd50a89903a3f4b7fc8b70c533287dac2787054ff5879
SHA5120c2ad84328f0e92a552b2d332276338e86433d6d9bbfa87c61b33403d5e1735dc04551398c357b8bc35e73410604a1830dfb2f9aeb878c83dfc8f6e760221911
-
C:\Windows\tiwi.exeFilesize
338KB
MD52c762b18dadb2a3fc391c599238468d7
SHA126056d554ac47ca82b67a8f209f49a84c5f1e6a3
SHA2564be9ee70f708ca78bf6f49d666b1fd0712da52fdff95539da9508d3b8e1fec66
SHA512cf55859d57ab76a759c685a435de3bed43551b901565ad6264eff7dc66bc41fc0818d1ca85750edb801d1d04cc87ed06b34804ceb6f7d96bfc16cde8bdcc4338
-
C:\Windows\tiwi.exeFilesize
226KB
MD5f92d52a54fe7877a214cafd6eb7eceb4
SHA14ca28c82bea777a66cb72e2d366b2396bcc2df19
SHA2563869f5a1ea0ed473afe73590e9f918b4ac35de9c2ff08981ab32be44f0808cca
SHA5124400348256a05a1232fbe3ff8222269ec77ebf243b23135800da222397c0f73382c64e460d9cb254739e11a476ea8e172a4264b44fc654105ba01dbfbd8bc548
-
C:\Windows\tiwi.exeFilesize
464KB
MD56837c0b31f2bd5995978485e37d7a74f
SHA1ba6135bd62bab65d4490e6439c73932557ef8027
SHA256968303cdbedb7b2b9698e428a04f0fc9c7fe5c032c98d364bfcc5d14c7427087
SHA51294664ad7758a2a79210d5a55ccda1d39af3b243bce03541e9467128a639170b591105dba1636ca6af29c6bbe9c7e232b5e682df06fb50c67a25344cf8aad3988
-
C:\present.txtFilesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
C:\tiwi.exeFilesize
583KB
MD55ebd214f6557fbe16e2603b94da9a593
SHA12887ff56ae5b2cc3d0614e7eff9ee2ff7f4ff536
SHA25698546ebb9c998dbabf767be6173d40733b4f69816b64071df81d8b0050830566
SHA5126864eb8eeb6cb0e5622846019823fb4484deaec5ee92ac86835f85160d9776a96266b2024cf3c8fca3706b7961d3fdec5adc3e5624c6be6962e6412bcc394484
-
C:\tiwi.exeFilesize
442KB
MD5a240227f93a5f3263b0566307e1fbeaa
SHA1d123af1c06a8c700923fd520a8730209da75c31c
SHA2568e654dc5d3a491ff9c5f97fd873d454905b67453f551404314445ee615efd92f
SHA512b9952b5597475617a150c663034218bfe1096f36a554086b5861e941735f28fd99eeb42d62ffc1fa55db49cc82916830d042f1d669cad21786ce25440be9dc41
-
C:\tiwi.exeFilesize
411KB
MD5553a8de7adf3dbb97517b21417bf31a4
SHA1568ceb73b981aeb4a97ca94962e599ccf006784d
SHA256eb1f3653febf9b857a749633177c45c085b70912564cf2f8b44181c814ee13ee
SHA512a9ad0f837ffb14dc085ac37a04d58f73d1fbdf01dae4743de29e0599f06076eb3e9487d55f0542cabcd17c84241f8ac27364e65ec299ae221df48045c337458f
-
C:\tiwi.exeFilesize
235KB
MD5186abc61e3ea83da46dcf7fe1ea18374
SHA14612d17b6087cb65fe30bcebcd43b94a92caba86
SHA256ea24baac4cd695da99307110f51dddb631abf8c7ae6b2a69e15dc2787938c493
SHA5124ae47c0badd04523391eb65ed2129d4d64119b44ed5fdd47a80cdbdcf94d12ad7157842775e3236e7ad1a9bc9493088f3c03540e90809bfb6d814567664e60ae
-
C:\tiwi.exeFilesize
338KB
MD5a9d190f02ba080aee5c91577c35d5ff4
SHA17f8dab7eefa151a5a43bda6813e27d73de197f38
SHA2567158825301fde8744ee94a067bef1d27c458a8d5fb6255f57673745a7dfac3b7
SHA512595d6099a2897e5d59a98c5efdb61486e58fc37ff1a43133339ed9ae191c8960655449a9d2faf37fd96918e819f39fd9be4045e63c0ff7c67525ecb7396dc3d2
-
C:\tiwi.exeFilesize
217KB
MD54f1258b6221296b3ac08252fe7ee2282
SHA18025d5d168f51691d57592337f564ad8f8a4aea6
SHA2569bba77f7f3538bc54e9c1dbf484072b73e5a8c51b6176b5b0fd75216a3647477
SHA5127e5fa20403c0a01fb54a0d0fc40b667dff42108083a4a2d25733f8596188595351644f3a5fb5d3dd14eeea8f6b9bf1ddd9c052b3f4b51be29fca01e03fcecca3
-
C:\tiwi.exeFilesize
330KB
MD5ab61dc5d77a5c412890074ba8bb95efc
SHA1712cc513001e0ee8f4bb9a18dfa628c5c1af6b9d
SHA256722fce7993c0d7d97c102cf7bff34f8e48cc4733ef76aaa3cd4c7222afb714b6
SHA51245542a1811242a0da3586f82f8e1e23ba2bf8e1e8bee36f2857e1f8b869b9c3fc5ada11b91fa44bb45938f4eb075b27b3213e5a1ccd7ea88614d2d84649d21c4
-
C:\tiwi.exeFilesize
272KB
MD53543e0b1e1a65460b40f89df3c7310e6
SHA15765284063ad473ccc59d3035a98c5799f6e60ed
SHA25694e70a3a14885925f945e77730ba805664f1714c9e8b9ca22532e4d803fe83ec
SHA5126deef296b3a94fd8b173ef8b627922515a4b89e6eda74e448ae6930711d61ac462aac53eeea02763f53861a072b5270582a755b6d00109657d947e11d885e942
-
C:\tiwi.exeFilesize
260KB
MD56c3afba074c4195cbd1a27797b34033e
SHA1aa839d32ffd73e4ad506d3deca15e8ccfed323e5
SHA256a8d28541613f0589122bec136f57ffa2cf59d98dc3362f936535038ec8490e52
SHA512dc03ad8780055417df6ad8b3fb91c7a52d0caf12de2e61b8ffb1c48179fa61c1f34abc552ff82569097ec32f9b154aab8165c019ce56f63f8b5004b976869824
-
F:\autorun.infFilesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
memory/116-298-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/116-110-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/116-356-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/456-185-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/456-199-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/976-275-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/976-310-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1160-342-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1512-329-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1652-158-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2196-262-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2196-354-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2196-96-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2200-321-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2360-305-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2632-352-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2680-355-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2680-269-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2680-102-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2688-200-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2688-274-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3152-358-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3152-308-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3152-122-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3256-316-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3480-344-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3480-337-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3500-341-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3708-164-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3708-160-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4000-339-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4204-304-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4204-318-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4244-273-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4244-265-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4256-125-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4256-0-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4488-357-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4488-302-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4488-116-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4696-272-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4696-300-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4704-313-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4792-326-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4844-181-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4844-166-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4856-351-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4880-307-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/5024-353-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/5048-327-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB