Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe
-
Size
351KB
-
MD5
3c901f9b60f23c24c61649a34197c917
-
SHA1
87bea37c66f4a34f3730acc7606d106731fca1fb
-
SHA256
48ca85344797b23064d90fa7a7d294f071bc136ba25135c2059a70b64aafb862
-
SHA512
10b6c665145d569efc939ed1ccf7cdf80f3ea84fb5f0ab344f0ab3a561f9a630750de77e9420b3e68dffa548c0562ae092f4d873aaa96082dd9a66137a216b6f
-
SSDEEP
6144:V/OZpljYZplx/OZpl7/OZplx/OZplQ/OZplU:V/Mjqx/M7/Mx/MQ/MU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2208 Tiwi.exe 2028 IExplorer.exe 1948 Tiwi.exe 932 Tiwi.exe 2536 IExplorer.exe 1032 Tiwi.exe 1732 IExplorer.exe 1268 IExplorer.exe 672 winlogon.exe 1844 winlogon.exe 1484 winlogon.exe 2960 imoet.exe 2060 imoet.exe 2248 Tiwi.exe 2096 imoet.exe 2312 cute.exe 1312 IExplorer.exe 1536 cute.exe 2900 cute.exe 2480 winlogon.exe 2652 imoet.exe 2616 winlogon.exe 3064 Tiwi.exe 2356 Tiwi.exe 2364 cute.exe 2384 imoet.exe 3024 IExplorer.exe 1160 IExplorer.exe 756 cute.exe 1216 winlogon.exe 2640 winlogon.exe 2560 imoet.exe 2580 imoet.exe 1532 cute.exe 2544 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2028 IExplorer.exe 2028 IExplorer.exe 2208 Tiwi.exe 2208 Tiwi.exe 2208 Tiwi.exe 2208 Tiwi.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2028 IExplorer.exe 2028 IExplorer.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2028 IExplorer.exe 2028 IExplorer.exe 2208 Tiwi.exe 2208 Tiwi.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 1844 winlogon.exe 1844 winlogon.exe 2028 IExplorer.exe 2028 IExplorer.exe 2208 Tiwi.exe 2208 Tiwi.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 1844 winlogon.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 1844 winlogon.exe 1844 winlogon.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2312 cute.exe 2312 cute.exe 2960 imoet.exe 2960 imoet.exe 2960 imoet.exe 2960 imoet.exe 1844 winlogon.exe 1844 winlogon.exe 2312 cute.exe 2312 cute.exe 2312 cute.exe 2312 cute.exe 2960 imoet.exe 2312 cute.exe 2960 imoet.exe 2960 imoet.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\X: Tiwi.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\M: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\O: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\X: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\B: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\E: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\R: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\U: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\Y: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\S: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\I: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\T: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\V: 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\O: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\autorun.inf 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File created F:\autorun.inf 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification F:\autorun.inf 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\IExplorer.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\shell.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2208 Tiwi.exe 2960 imoet.exe 1844 winlogon.exe 2028 IExplorer.exe 2312 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 2208 Tiwi.exe 2028 IExplorer.exe 1948 Tiwi.exe 1032 Tiwi.exe 932 Tiwi.exe 1732 IExplorer.exe 2536 IExplorer.exe 1268 IExplorer.exe 1844 winlogon.exe 1484 winlogon.exe 672 winlogon.exe 2960 imoet.exe 2248 Tiwi.exe 2060 imoet.exe 2096 imoet.exe 2312 cute.exe 1312 IExplorer.exe 1536 cute.exe 2480 winlogon.exe 2900 cute.exe 2652 imoet.exe 2616 winlogon.exe 2356 Tiwi.exe 3064 Tiwi.exe 2364 cute.exe 1160 IExplorer.exe 2384 imoet.exe 3024 IExplorer.exe 2640 winlogon.exe 1216 winlogon.exe 756 cute.exe 2560 imoet.exe 2580 imoet.exe 1532 cute.exe 2544 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2208 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2208 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2208 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2208 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2028 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 29 PID 2980 wrote to memory of 2028 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 29 PID 2980 wrote to memory of 2028 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 29 PID 2980 wrote to memory of 2028 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 29 PID 2980 wrote to memory of 1948 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 30 PID 2980 wrote to memory of 1948 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 30 PID 2980 wrote to memory of 1948 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 30 PID 2980 wrote to memory of 1948 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 30 PID 2208 wrote to memory of 932 2208 Tiwi.exe 31 PID 2208 wrote to memory of 932 2208 Tiwi.exe 31 PID 2208 wrote to memory of 932 2208 Tiwi.exe 31 PID 2208 wrote to memory of 932 2208 Tiwi.exe 31 PID 2980 wrote to memory of 2536 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 32 PID 2980 wrote to memory of 2536 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 32 PID 2980 wrote to memory of 2536 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 32 PID 2980 wrote to memory of 2536 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 32 PID 2028 wrote to memory of 1032 2028 IExplorer.exe 33 PID 2028 wrote to memory of 1032 2028 IExplorer.exe 33 PID 2028 wrote to memory of 1032 2028 IExplorer.exe 33 PID 2028 wrote to memory of 1032 2028 IExplorer.exe 33 PID 2028 wrote to memory of 1268 2028 IExplorer.exe 34 PID 2028 wrote to memory of 1268 2028 IExplorer.exe 34 PID 2028 wrote to memory of 1268 2028 IExplorer.exe 34 PID 2028 wrote to memory of 1268 2028 IExplorer.exe 34 PID 2208 wrote to memory of 1732 2208 Tiwi.exe 35 PID 2208 wrote to memory of 1732 2208 Tiwi.exe 35 PID 2208 wrote to memory of 1732 2208 Tiwi.exe 35 PID 2208 wrote to memory of 1732 2208 Tiwi.exe 35 PID 2208 wrote to memory of 672 2208 Tiwi.exe 36 PID 2208 wrote to memory of 672 2208 Tiwi.exe 36 PID 2208 wrote to memory of 672 2208 Tiwi.exe 36 PID 2208 wrote to memory of 672 2208 Tiwi.exe 36 PID 2980 wrote to memory of 1844 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 37 PID 2980 wrote to memory of 1844 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 37 PID 2980 wrote to memory of 1844 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 37 PID 2980 wrote to memory of 1844 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 37 PID 2028 wrote to memory of 1484 2028 IExplorer.exe 38 PID 2028 wrote to memory of 1484 2028 IExplorer.exe 38 PID 2028 wrote to memory of 1484 2028 IExplorer.exe 38 PID 2028 wrote to memory of 1484 2028 IExplorer.exe 38 PID 2980 wrote to memory of 2960 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 39 PID 2980 wrote to memory of 2960 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 39 PID 2980 wrote to memory of 2960 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 39 PID 2980 wrote to memory of 2960 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 39 PID 2028 wrote to memory of 2060 2028 IExplorer.exe 40 PID 2028 wrote to memory of 2060 2028 IExplorer.exe 40 PID 2028 wrote to memory of 2060 2028 IExplorer.exe 40 PID 2028 wrote to memory of 2060 2028 IExplorer.exe 40 PID 1844 wrote to memory of 2248 1844 winlogon.exe 41 PID 1844 wrote to memory of 2248 1844 winlogon.exe 41 PID 1844 wrote to memory of 2248 1844 winlogon.exe 41 PID 1844 wrote to memory of 2248 1844 winlogon.exe 41 PID 2208 wrote to memory of 2096 2208 Tiwi.exe 42 PID 2208 wrote to memory of 2096 2208 Tiwi.exe 42 PID 2208 wrote to memory of 2096 2208 Tiwi.exe 42 PID 2208 wrote to memory of 2096 2208 Tiwi.exe 42 PID 2980 wrote to memory of 2312 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 43 PID 2980 wrote to memory of 2312 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 43 PID 2980 wrote to memory of 2312 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 43 PID 2980 wrote to memory of 2312 2980 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c901f9b60f23c24c61649a34197c917_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:932
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2960 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2312 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a4c87d6f4858f1328a22d898ccc5d680
SHA1cfe96f6facc0ab950e0ceafa640d02f94384b989
SHA256ff61726a9498e8f6676ee052dd05eeaa7ae9cd0a1222988d104303387fdc1bf8
SHA5125ef7cb13de495158f125e61648443e3a8671519d2cb6498df42e466b64e3c70829b910691633115d3799c039c44e6c32e56466f556864a6eaedc9ddc3f1c9124
-
Filesize
351KB
MD57f56fe84b68683e6780a14df24b2e0b5
SHA192edef557da4b64900cdab2039b0ab25e42d4fb9
SHA256a65597591cd0fefc937cbc6ce3825a20acdf4bf550b2a3d3e163c9dfb53a4604
SHA512e07eeaed4c1a7f4cd0be7cf4bebc0e9fde1784af8a83bf3e352cc6e46941182e12a81e639c4dfca88f770640efc964e07cf74dc806a764b99978051b49d06236
-
Filesize
351KB
MD59563e7379235581c1cb52452d1551466
SHA144d06e71d622abe3b4017fd0cb9b7a5eff95a4c3
SHA256052370172f9ba89d484f3d231998fda9aff7a1e16121ad329d39842738dc0d5b
SHA5123d55657e71500ce1c930b6f04728fb930131d4540e356213206fd25967c855b4d055491e69ebcc717bdd7e004c936c7f95b3f8ef7fa67986dcaeb9d5915b5ef9
-
Filesize
351KB
MD53f6f4084b4fb56aac18b25742401f103
SHA11aa449184ed57a14a693746a4b65d4f133bfdbd4
SHA25613c3a23876a452d63b0ed22dc3883e4ebc5e8ace9d2266c9c29121bccc7d775d
SHA5128fb5a3494efdc77a07925b62a528e84cb12830712bc0a61690b0161429c4bac88c9e12372605f4168a39f1f7e5f6bd542aa9ccacd456a285e1b31ffd6769ba60
-
Filesize
351KB
MD5bd5dd2c09d848786a26721a133a5ea3c
SHA128c7035cf05614be9ec35cc5236a4733bda9c03f
SHA2566593cf97197a56a2328ce93a6db3e0cb6e2a061abe6fbfbf0b12ccb858e29a7a
SHA5127ff3a55e80a425476fb2b3f47c6dab9a34a63f984d285830dfa9d2568b13642b9d5b1ef005d078057b54d1e7339060c95362ebd34cd5570a5a2a39c4297fada3
-
Filesize
351KB
MD5222c7d22c0dec1d04d62324f030d3e9e
SHA1562c9596da5c07198ecb3b7fe99445e24aad6e8a
SHA25602299cf4632778accdb75d502d43671e7c333d2b751b9195a38787d20fe380ba
SHA512c0a015c3f332ba533660b4449e40f34d53d4254cfaee3e1db20d52bcd937a6f456372d24e9069f6f3ba57eae052f628cb6b4d26f4b862843e6a69648cb245d48
-
Filesize
45KB
MD5870b4cc0207581973a2ca0b12c6fc653
SHA167c49aada9c0e738b18d3dd45ddd3f7fc729f109
SHA256fe1fe45d6a1311cf7827ddbe739b126a321d706a4a75eaf7af677c6435173a9d
SHA512fa99ce430eafc27d8e173559e72baaa8eecf7491a8ff2999507a3052e8bfe970ad5fcef674d5ee29b62617b5f02b379309ed03f19e0980a59b64c85e6f45bf91
-
Filesize
45KB
MD57f55160516dba9f416f13e7c40b80a86
SHA1eeb0aee328f98d2f34cf60c81d7dce2aa126f1f9
SHA25646f4d33fa47aaf7abdf9f90d358964bd5e0e55196274e789ca4e62b513ae6fd4
SHA512330183b91907b12064692756cdb4eea4834a64776a90dff69224d8ba7536226418778a672927c0f5743ec4997fe8d52c2c9f58046c3114a3d3663114d96f20a0
-
Filesize
45KB
MD5810696065d10a4cafd8406ccbdc45875
SHA1ae3f2fa226bb2447daa0ebbb9bada17b887ac7c1
SHA256b7d32e5b907883ce0ca81c750047fcabe0388f5ba6cfbe3e568a08b3a93993b9
SHA5124ada049221d295ea691bfae461432cd11370e3449e49b57c9c3eb98fc10c2e3686641a390fb23de66abeb97d514ad697c02fa027876f48c2d2fd51422fd784b4
-
Filesize
351KB
MD5b5181f00fdeb93560a0756ea262dbc04
SHA192d328a4fec8f1c626eed597381218bb9bab1a4d
SHA25656389165eda4f2498d9c2bac10f235767e1008a8d5bdfbe1c4a750ae1ec9512c
SHA5127bb49488c89395f0112eda4f101a9cad9a1dc22850087def10028ff185a2f155eade8e9544ec8b5b50545c81b3207c9602c444ad7de6c2d84e2f06bd57fcfe9a
-
Filesize
351KB
MD5f3c7fc2820e5c421eecea309124d6973
SHA139d1598fee009621959cd528debe3b7ea662f9ee
SHA256b2634d074187d278bf9ca11de073ab02e0ba7bfbbbb6a4b764de86af836fa76d
SHA512032d027f8fa1c7cca28cd9f3aead1a5690b3f04726fae386f092a3f7b52f2fa0bf8611e06e04b9878330fb5e6401745292d320815282d02dda9f1078e2c5265e
-
Filesize
351KB
MD57953e95f6c890be569f2fb8719cba7fd
SHA10c0e5b384efda507b07de97f3d61cf813b4bf0b5
SHA2568253890b42f2c958b4a5977fa1c7723045c3c7e503eeac74f34ca4d975c7900b
SHA512f42b2d6ddcddc676db202d26a6774411a4c15ba197daea1f40e640b10d2d01a547ad4da3ee47a7f64b2471d57b732f00900f142c6aafb0644337236028c0625c
-
Filesize
351KB
MD5a032e025ee8c0f037c61b3bb00ca33d6
SHA1761d9e7e3df4b9ed7d96325d5a67442f5254dc13
SHA25648abd324eb4d8e8b2a86e5abcb2060e11f8b7161047f8983de490fc2b3ec7781
SHA512397ddefcf0674b1ef9d92b724ca6e6d7f1241d7060920162d686d0f5d9713d472710c7b9c179dadd882950287ef02a8cd44e21ad3218d74cedf2f6b6e4fa580c
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
351KB
MD5c8aa0047cb2462df93e598935a27b3ae
SHA1548b1fdcb7eeabac08492585b34b7e05962e32e3
SHA25622195f512b4cb7fceabedb282ca947e7d910f4272f048406b9d94453a835db87
SHA5125e3ab912640f1285ebf298ac260eb555f35a50d8aa3beef09995a0f6f8aa42e5fc83fe6b2c956e631990799e9a668aef6de78d9fc0e7c862e4ffbdac9bb8513b
-
Filesize
351KB
MD552a24c3927a66a6b4ba0192cd52bb5f3
SHA1eca79c2af826daff2dd1f970c5d03c6bfd86a57c
SHA256d868255b5cbc00e94022c055a298f741805c9697fcb81c3846c78401d53bc151
SHA51235cd7af1ebab8a1ac9c8cc67e35e6f75b3489bb414d900fdf1c490624474ab30569c0c1a545928c781c504b011b384f649e05c2eccc43321aed63363d532b865
-
Filesize
351KB
MD53c901f9b60f23c24c61649a34197c917
SHA187bea37c66f4a34f3730acc7606d106731fca1fb
SHA25648ca85344797b23064d90fa7a7d294f071bc136ba25135c2059a70b64aafb862
SHA51210b6c665145d569efc939ed1ccf7cdf80f3ea84fb5f0ab344f0ab3a561f9a630750de77e9420b3e68dffa548c0562ae092f4d873aaa96082dd9a66137a216b6f
-
Filesize
351KB
MD53e57064c98c8255393ce8264ed92d756
SHA1657de0cd90a6d4aacf53bfb4473e7ad0f0f07aec
SHA256bb06ab876cda205bcb256fae79713f42b47b01397fcac2cc94f59777439f6b2c
SHA51278c7cfae9851e4e42b5afdedcc2d6fb21797dcb61847b663963876a5207551caf96aac8a95e7e532eb946a8ea6f2229153e9916c4b093f1c997627733c7ca661
-
Filesize
351KB
MD51bad494aa95feb1d8a853cf4e2f54428
SHA14d68888f0f8181240f7db168f2ea7895e80c9c19
SHA25637ef54029fd7cc1019f35cf637b62fb67a59f2c5ff8a72307256672e4a33a8f5
SHA512ba8f87fc264e593714feb1a52d00e1fe6f490c2c4cb12c8fb266f4620c6d0b953288626fba71bbf2a45c5eaf20277d5b890ddd471f7fed506137a81a772ca481
-
Filesize
351KB
MD52be94c411efa3d980dc7807272a70426
SHA1b7c70117abb68c0ae124046c714513cba8f04e30
SHA256e92f6499898551fe35837d28a6807b17b672a22e6ca175c8a27927e5cf859e0b
SHA512073154267a6db7ceec5c0b8a6c1a0c23d8dbc440eec2269ce9941984328ca5c14574f6dc45ec495de1455937503f08e84bf821f4c481b889620b0e8c91a1da54
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
351KB
MD5bad463d1b74fc207ce2c6821c85983c2
SHA1d088de5bb782e4015fd221e9b86c1782a30d7b96
SHA256fe11c94da2ef8f4e368c961eb3e1b6c6518e3a49da21670fc6e32bc7dd62f742
SHA512d557da6334ade40e7167c80340311a3e374a5b430b6bd5afbca7622c7616c2e4a3511bc152aeb1cb0b585c8e89de8e09660207b467e794531c9608a64b84abb9
-
Filesize
351KB
MD5f02f675e61530ff666b17a739b9462cc
SHA12a4c33527d54b2a98eaee00c0d774d1496176696
SHA256b07101438464175a6fa3a57318dcd57752fd1c52e0aaf2c523df8e753a43c574
SHA51244110e4a755875d88279e91c9ef89984f82d262fc4febeb6b930d912ad3bc5b647e5f49b56b9cd99c8672e864ff242c6905fa0589a083295d10e2d7bfcddb39f
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
351KB
MD5af1aa4000dcb56457d7e61a641d90d3e
SHA1fab0a1228de9c9f20d2cbbe55bcf130936155378
SHA25669a5225c12e2a0eb57bb96d5cf98ecc8efba8126dccea1e60d0ec7198c506ffd
SHA51230ef1c8c63df38d0cfa4ae7794c06638de3ab85ccbf818ee5dcb16845ac855935e8b130e7f6fd6d2df34e2ce50b66c361f6454e5e8ec8e0bdb459758571a62a4