Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Resource
win10v2004-20240508-en
General
-
Target
1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
-
Size
488KB
-
MD5
549b285b034030900764b8ca09f9ac26
-
SHA1
81b386310f280e7788a0ffa1fa05fee6fe0fb817
-
SHA256
1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a
-
SHA512
16cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787
-
SSDEEP
12288:V/M5/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V6K2O2HIBEd7M
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 3568 Tiwi.exe 4264 IExplorer.exe 1608 Tiwi.exe 1884 IExplorer.exe 4072 Tiwi.exe 5052 winlogon.exe 3780 IExplorer.exe 4804 Tiwi.exe 4428 imoet.exe 3976 IExplorer.exe 3252 winlogon.exe 2416 cute.exe 2076 winlogon.exe 3692 imoet.exe 3732 Tiwi.exe 3744 imoet.exe 2736 winlogon.exe 1236 Tiwi.exe 2792 IExplorer.exe 4344 cute.exe 2372 cute.exe 3092 IExplorer.exe 624 winlogon.exe 756 winlogon.exe 112 imoet.exe 2684 Tiwi.exe 3740 imoet.exe 748 imoet.exe 1404 IExplorer.exe 1244 cute.exe 2492 cute.exe 1820 winlogon.exe 3864 cute.exe 764 imoet.exe 1504 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 1608 Tiwi.exe 4072 Tiwi.exe 4804 Tiwi.exe 3732 Tiwi.exe 1236 Tiwi.exe 2684 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\S: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\Q: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\B: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\V: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\H: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\P: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\O: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\L: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\N: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\I: 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\autorun.inf 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File created F:\autorun.inf 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification F:\autorun.inf 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\shell.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\ 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3340 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 3568 Tiwi.exe 4428 imoet.exe 5052 winlogon.exe 4264 IExplorer.exe 2416 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 3568 Tiwi.exe 4264 IExplorer.exe 1608 Tiwi.exe 1884 IExplorer.exe 4072 Tiwi.exe 5052 winlogon.exe 3780 IExplorer.exe 4428 imoet.exe 4804 Tiwi.exe 3976 IExplorer.exe 3252 winlogon.exe 2416 cute.exe 2076 winlogon.exe 3692 imoet.exe 2736 winlogon.exe 3744 imoet.exe 3732 Tiwi.exe 1236 Tiwi.exe 2792 IExplorer.exe 4344 cute.exe 2372 cute.exe 3092 IExplorer.exe 624 winlogon.exe 756 winlogon.exe 112 imoet.exe 2684 Tiwi.exe 748 imoet.exe 3740 imoet.exe 1404 IExplorer.exe 1244 cute.exe 2492 cute.exe 3864 cute.exe 1820 winlogon.exe 764 imoet.exe 1504 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 3568 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 81 PID 392 wrote to memory of 3568 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 81 PID 392 wrote to memory of 3568 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 81 PID 3568 wrote to memory of 3340 3568 Tiwi.exe 82 PID 3568 wrote to memory of 3340 3568 Tiwi.exe 82 PID 392 wrote to memory of 4264 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 83 PID 392 wrote to memory of 4264 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 83 PID 392 wrote to memory of 4264 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 83 PID 392 wrote to memory of 1608 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 84 PID 392 wrote to memory of 1608 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 84 PID 392 wrote to memory of 1608 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 84 PID 392 wrote to memory of 1884 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 85 PID 392 wrote to memory of 1884 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 85 PID 392 wrote to memory of 1884 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 85 PID 3568 wrote to memory of 4072 3568 Tiwi.exe 86 PID 3568 wrote to memory of 4072 3568 Tiwi.exe 86 PID 3568 wrote to memory of 4072 3568 Tiwi.exe 86 PID 392 wrote to memory of 5052 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 87 PID 392 wrote to memory of 5052 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 87 PID 392 wrote to memory of 5052 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 87 PID 3568 wrote to memory of 3780 3568 Tiwi.exe 88 PID 3568 wrote to memory of 3780 3568 Tiwi.exe 88 PID 3568 wrote to memory of 3780 3568 Tiwi.exe 88 PID 4264 wrote to memory of 4804 4264 IExplorer.exe 89 PID 4264 wrote to memory of 4804 4264 IExplorer.exe 89 PID 4264 wrote to memory of 4804 4264 IExplorer.exe 89 PID 392 wrote to memory of 4428 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 90 PID 392 wrote to memory of 4428 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 90 PID 392 wrote to memory of 4428 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 90 PID 4264 wrote to memory of 3976 4264 IExplorer.exe 91 PID 4264 wrote to memory of 3976 4264 IExplorer.exe 91 PID 4264 wrote to memory of 3976 4264 IExplorer.exe 91 PID 3568 wrote to memory of 3252 3568 Tiwi.exe 92 PID 3568 wrote to memory of 3252 3568 Tiwi.exe 92 PID 3568 wrote to memory of 3252 3568 Tiwi.exe 92 PID 392 wrote to memory of 2416 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 93 PID 392 wrote to memory of 2416 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 93 PID 392 wrote to memory of 2416 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 93 PID 4264 wrote to memory of 2076 4264 IExplorer.exe 94 PID 4264 wrote to memory of 2076 4264 IExplorer.exe 94 PID 4264 wrote to memory of 2076 4264 IExplorer.exe 94 PID 3568 wrote to memory of 3692 3568 Tiwi.exe 95 PID 3568 wrote to memory of 3692 3568 Tiwi.exe 95 PID 3568 wrote to memory of 3692 3568 Tiwi.exe 95 PID 5052 wrote to memory of 3732 5052 winlogon.exe 96 PID 5052 wrote to memory of 3732 5052 winlogon.exe 96 PID 5052 wrote to memory of 3732 5052 winlogon.exe 96 PID 4264 wrote to memory of 3744 4264 IExplorer.exe 97 PID 4264 wrote to memory of 3744 4264 IExplorer.exe 97 PID 4264 wrote to memory of 3744 4264 IExplorer.exe 97 PID 392 wrote to memory of 2736 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 98 PID 392 wrote to memory of 2736 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 98 PID 392 wrote to memory of 2736 392 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe 98 PID 4428 wrote to memory of 1236 4428 imoet.exe 99 PID 4428 wrote to memory of 1236 4428 imoet.exe 99 PID 4428 wrote to memory of 1236 4428 imoet.exe 99 PID 5052 wrote to memory of 2792 5052 winlogon.exe 101 PID 5052 wrote to memory of 2792 5052 winlogon.exe 101 PID 5052 wrote to memory of 2792 5052 winlogon.exe 101 PID 3568 wrote to memory of 4344 3568 Tiwi.exe 100 PID 3568 wrote to memory of 4344 3568 Tiwi.exe 100 PID 3568 wrote to memory of 4344 3568 Tiwi.exe 100 PID 4264 wrote to memory of 2372 4264 IExplorer.exe 102 PID 4264 wrote to memory of 2372 4264 IExplorer.exe 102 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe"C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:392 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3568 -
C:\Windows\Notepad.exeNotepad.exe C:\Present.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3340
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4072
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3252
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4264 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3744
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5052 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3732
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4428 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1236
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3092
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2416 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3864
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
488KB
MD5a15fd0cf838275714377b851d7935219
SHA146e31cedcfac7f7541c22836d26242f233bf6736
SHA25658fe1c7b12dc429def98f2f2f4a3afd873a61ac981e6b54cfd2fe1f48e100708
SHA51226bdeafd56a22f262073ee1a870b02254782c988d11f214c5684d92b0d12e00cee80da18c3ec7ca4090574690fdac7346bec3b063134a2bfa9ce701c3eaeb863
-
Filesize
488KB
MD56a9ec5a9360f6f3d60a200f999a8f828
SHA1cdf8430d8abdad534e228c63df332f81394a047b
SHA256f19aacddca1cf38bd04ce82f44bd3f145534d73eb2c65b2194727691dddb84ac
SHA5125cf6cff8ce661b843e13ff8c6d19f7b1a08adebb0b439c8ad811de550b390bd28fd08954103e082e25d8f3061550b06fa51afacefdf3dbf04af7659564a75240
-
Filesize
45KB
MD57b63e855540b3c4bec019065d9901df4
SHA1e055a7696a09050b6837a82fa0a648efcb0d98d9
SHA256bd5433273b04a451937ecc33a550ea138d94f6f667381fd1f7fc090951eb7b2f
SHA5122c5d08fe7303a6c0b0bb74cbc3ce0756a6f5466002efe7845aca0e89de94b796a6ff92c9473924e4a39492aab4f2a80af4a7060ee8cfdba1ed1eea5252644fcc
-
Filesize
488KB
MD50655d1cee110b18e9fad39d4432aa67f
SHA167c4c58e79b8a444b86eea386499132423d41fee
SHA256e34f4047e5eb92a1ed41ead761951f614896cb2804c79f864a3c3696ff9d6f03
SHA5123457bf80ba0142d754b67ef6fbe7a1d9810cdf97b1e626fd3d7067793446fabcf032f57f5bc814f30639c7912a6f03f941407bd0d4b8aa4c933bb0b237006d15
-
Filesize
488KB
MD5137dc70196d811805db1246f6d4ca446
SHA16c5b74b723a26367e2a1ea7b5be8bb1662442be0
SHA256b4176c4a8c1d593ff772994c93631271e4f093ebd97f81f5f7696ffe4aa2768c
SHA5127c492fdc091674c044ecdb0f2b4dd3f124830ce8488709112960fe0514315860ffaccd456227c4d118ad1ca520e6a8bb65b575009317745066d80bdd3ea5a054
-
Filesize
488KB
MD551ce6d3e3ed89c3a1050440dfa4523fe
SHA1921246c9ede2e598520549ce7d06b63b1de20c34
SHA256203bbd0ca118b5ea7786f4b1ce1c9b718999d3b627ee99192ef67b06ce6d86a6
SHA512be50ab80daff3d8c12f805b175fe42ecefc5b48034389da779897af08f2f5850a8c8ac39bd0b30be31b6bfcacd6b642ac45ea134044ee0565cc939758f1b8a58
-
Filesize
488KB
MD5f860b92925f82d6680b0855e45b0a7f6
SHA1f4db4543afb5ff3de2b3dd344a814924b836166a
SHA2566a4249cee17dc9fb75e54328801e35ff7fbba156dbd95d84cf5d8da718751420
SHA512b8d8514a7501ec6d95994aa4942b997cad3ccebb7625daca32ad29a915ddf75350fafd92c24d2ee51bf43765b07958cd708ae1e315fc170655f2aa4a99244d41
-
Filesize
45KB
MD574e2bad0629a7afcdcebf47f07182bcf
SHA15198e6e263adf7f241aa770a2532abd573c0bfa0
SHA25632ea0511a42515b2b88c00df11202d71c4aae48fdb6a9c448ab1a16eccf97428
SHA51208cad8776efca90f77171fb096c660a3dd2d7873ca01798e3e977d4ffe660b87e23087e93bc56f08c1deaa9478028e0a06aeb4571f287596ee7c97e3ca063a8e
-
Filesize
45KB
MD584dbc5e9878f1d95152eac928fe01cc6
SHA12b0b2de6951e5260346af449ea31bb726eae10fa
SHA256cb862620bd2c3f4c2ab93d6ce3934e6f5fd610065f8982c7e02ce02247eeb3ae
SHA5123742c1a0305e0a23e69726d34186bb59f42c9cd90f586f8ba5b3bb59db52875d7e23c7bae36a4a72c52db4f4f2d8137ff2805c006c35360394f8becdde76ddc4
-
Filesize
45KB
MD546dffb7ab4b7be25fa06690c908b5b1f
SHA1fb0d91b2679ad015e5decf269cad969ebae1a123
SHA2568d445e3b84dad8aa73c99362a63557d709ba786e5bd7e36c71c199c7da3abca8
SHA512a25cb4dd8e1f155cca711155b7989bda65987a7e14b513e5d3b998a03625bf73a422a20c9c8d0ffaaf5ccb1c64bd800c3a41063976d6b8321023b558e1147b1f
-
Filesize
45KB
MD5e7df4a8148da7d44e2e85c179eea47ed
SHA1d8d7c46461734573b37d1d80ba380dfd9e099099
SHA256a3490075049c46bd1d049b2d0edc8b1b6a901547104e36227520bb550f25bc5f
SHA512e10dba22ad390f67a4cdc96d0f39503946afb940e01138521b74ac7cc6821058c6421c036bd8034ab2ca4464aa101b06ec0b3ec9150a1ea82684a9f4b0bded63
-
Filesize
488KB
MD5eb980f17d40f47c94448911686b6623d
SHA10262a4167e04828e15e26aa4bdda87dc4979a0b7
SHA256b19778fe2821eba65aa5236abb4b6b3c82873c7f433481e1991d355a6b27f923
SHA512ffb85f6227ed7c30d9c2b6c05478ae2d1ed91d19b9eab59143c9dbb3157d70990c67cfd4cc89470b4e6ed9443a81e56fa5737216d4e29255fae85c63fd8e0ce9
-
Filesize
488KB
MD55f566e38b7871339a751d57e86f8bfcd
SHA1eb8ccc9252fc20b9ee0e614932bd2db9281d99e1
SHA25697d22572613f0dbd68a57a59c1893f1133c7ac325d2e0fb81521b246fc36e721
SHA5123a66d193a36363995cf71c64f24aa857a9302578e44aaf3c768f579d5ad98433eb00114cf0236282b86ebfe7f7e546021744ebb573f63b4df3747ca4b29513b2
-
Filesize
488KB
MD5fb9933d360afbcc0661d6505885c500b
SHA135d8021c7afb1265bbe432b945d9add1536f70fd
SHA256a434c8b03536704c8e4f2322557662793868aa412ac0ec36c071e9f271a4f9ca
SHA512627516e2ba0b97a7db0dfd7189cfa0fdcdd26b18f525d1be6633cd8a1982aff32feb502726aef645e344ee8996be0e0d55b367959afa06e5d32a4ed815fc7a3d
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
488KB
MD5bea3f332073ce7c2a289ebbb96ba62f3
SHA1e423531a6cdaac290685fee75a5757bc62dd21d3
SHA256f4a8c8b844553ed9742ff09ec8f2b002534b9cf5dc2936e57cf49c8658218b2c
SHA512164d96484e8795e57ecb71c3027f8386198974c8a6ada65f2255b4772f7093d3283b12e1502f3e0baa5124d9d57ef8cbcca0bcf04df02487229006e2dd992abf
-
Filesize
488KB
MD5799c9d5a1951830cffc90129fbcc64bc
SHA1a44343268c36da93bedec9ebc1dd41eed5c03b0c
SHA256d00a7e44bb65c3cc2aac7c52f7f434fc4970748fffaceef53aaafcd766835cf2
SHA5124605b24a3a8d2738ee904bf665690011c4ebd56fdcdd2691db081cc0d86ccd1b88e8f689e5de81ef7d48ec3a25ce8de678d6e6347859878b391f7c6ff3df7003
-
Filesize
488KB
MD5d2578629b36b695aae1644e28fc59e69
SHA139d14eded3c7102e0e25eec9977dba7695730478
SHA2566747b0143ea9e1e26633f998de862596c442d9827c82e4aa2975331577ab9598
SHA512a59be6d451222a50fb4f9b9bd744517e5bc450e6192bec56823b709c94884fef48cc4cf3dcdba12656d2e8caedcd94659953d7655e38c6d38796b7344dbab136
-
Filesize
488KB
MD5549b285b034030900764b8ca09f9ac26
SHA181b386310f280e7788a0ffa1fa05fee6fe0fb817
SHA2561dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a
SHA51216cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787
-
Filesize
488KB
MD5d2d93b98fb5bbae4aca25d22d433e11b
SHA1f5ea9386ce6be37a97476bec99c24fa1ff89f18d
SHA256dfd42ab901a0a867b5876a4016a6500717faef423a86a20118f7cf6552ba20fa
SHA512127930bb185bdb98627fd7f481b8aba4c264b08e9072585b0b0691e42c54b0e528135b7be2c5a731943fabc853ba92c5b655838952c9c216c5e46d87078b9982
-
Filesize
488KB
MD5226e211eec10a5642a7c4b2bab066ee8
SHA1d16e36e2157b09fb66178a5356e46cda93a44d6c
SHA256e17af855aa838d023a4e54d7790e036890b5d3d86a24f01368444ed35f55d4d8
SHA51232f4a8640868e665c822ae230edd17d0feac8fd48dcbbff8f1356c3cbe1a9d64fe3bdf825813830608f3b0a84f59a9c226b41a21128c8d0a112086946c65cf0c
-
Filesize
488KB
MD502ff4b84a530a55c4f4184b946100e14
SHA19ec57e8a5580dd9c5264c5dbba57216c94a979dc
SHA2569075acaac8af80211feb8d834c065f03735880f756d931d9900dd274a074b387
SHA512c681a12ee1dfb00972572577d4bd77b64f65013bdd31283c53424a51ea5a690ed3d5e699af509a19a85ed3219e646777bce4ae2fde12703879a891e0fa40dc62
-
Filesize
488KB
MD5bde562776392afe1267f4db2b9cdaa55
SHA164987a480fac9770bbdeefb586fbb76110232342
SHA256c0509264d2f51109d4ecd904d2000da7ba94749cee84d578132fb2c1547d224c
SHA51215b68ae5dcc8784970d1fe4a55742f6fab12845c77f8743b0f69029a3b62cac4013946810d5114505ee2ddf2ae6fdc9e956e571f9e90d6ae785c2670bda26f2a
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62