Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
3d139b69481bd8d8e19a69076e324060N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3d139b69481bd8d8e19a69076e324060N.exe
Resource
win10v2004-20240802-en
General
-
Target
3d139b69481bd8d8e19a69076e324060N.exe
-
Size
488KB
-
MD5
3d139b69481bd8d8e19a69076e324060
-
SHA1
055411e49b2fbf273c38339547e3bf9a574574de
-
SHA256
f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93
-
SHA512
19bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a
-
SSDEEP
12288:V/ML/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V0K2O2HIBEd7M
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2776 Tiwi.exe 2684 IExplorer.exe 1152 winlogon.exe 288 imoet.exe 2708 Tiwi.exe 2816 Tiwi.exe 1816 IExplorer.exe 2020 IExplorer.exe 1128 Tiwi.exe 1524 Tiwi.exe 1944 winlogon.exe 2436 IExplorer.exe 2428 winlogon.exe 2112 Tiwi.exe 1708 imoet.exe 2720 IExplorer.exe 2156 winlogon.exe 2760 IExplorer.exe 2756 winlogon.exe 2716 winlogon.exe 3036 cute.exe 2924 imoet.exe 2744 imoet.exe 2912 imoet.exe 2772 imoet.exe 2964 cute.exe 2584 cute.exe 1728 cute.exe 1400 cute.exe 1204 Tiwi.exe 1764 cute.exe 1808 IExplorer.exe 2796 winlogon.exe 2844 imoet.exe 2600 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2776 Tiwi.exe 2776 Tiwi.exe 2776 Tiwi.exe 2776 Tiwi.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2684 IExplorer.exe 2684 IExplorer.exe 2776 Tiwi.exe 2776 Tiwi.exe 2684 IExplorer.exe 2684 IExplorer.exe 288 imoet.exe 288 imoet.exe 288 imoet.exe 288 imoet.exe 1152 winlogon.exe 1152 winlogon.exe 2776 Tiwi.exe 2776 Tiwi.exe 1152 winlogon.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 1152 winlogon.exe 1152 winlogon.exe 288 imoet.exe 2684 IExplorer.exe 2684 IExplorer.exe 1152 winlogon.exe 1152 winlogon.exe 2684 IExplorer.exe 2684 IExplorer.exe 288 imoet.exe 288 imoet.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 2356 3d139b69481bd8d8e19a69076e324060N.exe 3036 cute.exe 3036 cute.exe 3036 cute.exe 3036 cute.exe 3036 cute.exe 3036 cute.exe 3036 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\G: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\V: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\J: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\L: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\I: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\Q: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\E: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\B: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\Y: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\X: 3d139b69481bd8d8e19a69076e324060N.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\R: 3d139b69481bd8d8e19a69076e324060N.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\tiwi.scr 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\SysWOW64\IExplorer.exe 3d139b69481bd8d8e19a69076e324060N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 3d139b69481bd8d8e19a69076e324060N.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 3d139b69481bd8d8e19a69076e324060N.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d139b69481bd8d8e19a69076e324060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 3d139b69481bd8d8e19a69076e324060N.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3d139b69481bd8d8e19a69076e324060N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3d139b69481bd8d8e19a69076e324060N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 3d139b69481bd8d8e19a69076e324060N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2776 Tiwi.exe 288 imoet.exe 1152 winlogon.exe 2684 IExplorer.exe 3036 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2356 3d139b69481bd8d8e19a69076e324060N.exe 2776 Tiwi.exe 2684 IExplorer.exe 1152 winlogon.exe 288 imoet.exe 2708 Tiwi.exe 2816 Tiwi.exe 2020 IExplorer.exe 1128 Tiwi.exe 1816 IExplorer.exe 1944 winlogon.exe 2436 IExplorer.exe 2112 Tiwi.exe 2720 IExplorer.exe 1524 Tiwi.exe 1708 imoet.exe 2760 IExplorer.exe 2428 winlogon.exe 2756 winlogon.exe 2156 winlogon.exe 2716 winlogon.exe 2744 imoet.exe 3036 cute.exe 2772 imoet.exe 2924 imoet.exe 2912 imoet.exe 2964 cute.exe 2584 cute.exe 1728 cute.exe 1400 cute.exe 1764 cute.exe 1204 Tiwi.exe 1808 IExplorer.exe 2796 winlogon.exe 2844 imoet.exe 2600 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2776 2356 3d139b69481bd8d8e19a69076e324060N.exe 31 PID 2356 wrote to memory of 2776 2356 3d139b69481bd8d8e19a69076e324060N.exe 31 PID 2356 wrote to memory of 2776 2356 3d139b69481bd8d8e19a69076e324060N.exe 31 PID 2356 wrote to memory of 2776 2356 3d139b69481bd8d8e19a69076e324060N.exe 31 PID 2356 wrote to memory of 2684 2356 3d139b69481bd8d8e19a69076e324060N.exe 32 PID 2356 wrote to memory of 2684 2356 3d139b69481bd8d8e19a69076e324060N.exe 32 PID 2356 wrote to memory of 2684 2356 3d139b69481bd8d8e19a69076e324060N.exe 32 PID 2356 wrote to memory of 2684 2356 3d139b69481bd8d8e19a69076e324060N.exe 32 PID 2356 wrote to memory of 1152 2356 3d139b69481bd8d8e19a69076e324060N.exe 33 PID 2356 wrote to memory of 1152 2356 3d139b69481bd8d8e19a69076e324060N.exe 33 PID 2356 wrote to memory of 1152 2356 3d139b69481bd8d8e19a69076e324060N.exe 33 PID 2356 wrote to memory of 1152 2356 3d139b69481bd8d8e19a69076e324060N.exe 33 PID 2356 wrote to memory of 288 2356 3d139b69481bd8d8e19a69076e324060N.exe 34 PID 2356 wrote to memory of 288 2356 3d139b69481bd8d8e19a69076e324060N.exe 34 PID 2356 wrote to memory of 288 2356 3d139b69481bd8d8e19a69076e324060N.exe 34 PID 2356 wrote to memory of 288 2356 3d139b69481bd8d8e19a69076e324060N.exe 34 PID 2356 wrote to memory of 2708 2356 3d139b69481bd8d8e19a69076e324060N.exe 35 PID 2356 wrote to memory of 2708 2356 3d139b69481bd8d8e19a69076e324060N.exe 35 PID 2356 wrote to memory of 2708 2356 3d139b69481bd8d8e19a69076e324060N.exe 35 PID 2356 wrote to memory of 2708 2356 3d139b69481bd8d8e19a69076e324060N.exe 35 PID 2776 wrote to memory of 2816 2776 Tiwi.exe 36 PID 2776 wrote to memory of 2816 2776 Tiwi.exe 36 PID 2776 wrote to memory of 2816 2776 Tiwi.exe 36 PID 2776 wrote to memory of 2816 2776 Tiwi.exe 36 PID 2356 wrote to memory of 1816 2356 3d139b69481bd8d8e19a69076e324060N.exe 38 PID 2356 wrote to memory of 1816 2356 3d139b69481bd8d8e19a69076e324060N.exe 38 PID 2356 wrote to memory of 1816 2356 3d139b69481bd8d8e19a69076e324060N.exe 38 PID 2356 wrote to memory of 1816 2356 3d139b69481bd8d8e19a69076e324060N.exe 38 PID 2776 wrote to memory of 2020 2776 Tiwi.exe 39 PID 2776 wrote to memory of 2020 2776 Tiwi.exe 39 PID 2776 wrote to memory of 2020 2776 Tiwi.exe 39 PID 2776 wrote to memory of 2020 2776 Tiwi.exe 39 PID 2684 wrote to memory of 1128 2684 IExplorer.exe 37 PID 2684 wrote to memory of 1128 2684 IExplorer.exe 37 PID 2684 wrote to memory of 1128 2684 IExplorer.exe 37 PID 2684 wrote to memory of 1128 2684 IExplorer.exe 37 PID 1152 wrote to memory of 1524 1152 winlogon.exe 40 PID 1152 wrote to memory of 1524 1152 winlogon.exe 40 PID 1152 wrote to memory of 1524 1152 winlogon.exe 40 PID 1152 wrote to memory of 1524 1152 winlogon.exe 40 PID 2776 wrote to memory of 1944 2776 Tiwi.exe 41 PID 2776 wrote to memory of 1944 2776 Tiwi.exe 41 PID 2776 wrote to memory of 1944 2776 Tiwi.exe 41 PID 2776 wrote to memory of 1944 2776 Tiwi.exe 41 PID 2356 wrote to memory of 2428 2356 3d139b69481bd8d8e19a69076e324060N.exe 42 PID 2356 wrote to memory of 2428 2356 3d139b69481bd8d8e19a69076e324060N.exe 42 PID 2356 wrote to memory of 2428 2356 3d139b69481bd8d8e19a69076e324060N.exe 42 PID 2356 wrote to memory of 2428 2356 3d139b69481bd8d8e19a69076e324060N.exe 42 PID 2684 wrote to memory of 2436 2684 IExplorer.exe 43 PID 2684 wrote to memory of 2436 2684 IExplorer.exe 43 PID 2684 wrote to memory of 2436 2684 IExplorer.exe 43 PID 2684 wrote to memory of 2436 2684 IExplorer.exe 43 PID 2776 wrote to memory of 1708 2776 Tiwi.exe 44 PID 2776 wrote to memory of 1708 2776 Tiwi.exe 44 PID 2776 wrote to memory of 1708 2776 Tiwi.exe 44 PID 2776 wrote to memory of 1708 2776 Tiwi.exe 44 PID 288 wrote to memory of 2112 288 imoet.exe 45 PID 288 wrote to memory of 2112 288 imoet.exe 45 PID 288 wrote to memory of 2112 288 imoet.exe 45 PID 288 wrote to memory of 2112 288 imoet.exe 45 PID 2684 wrote to memory of 2156 2684 IExplorer.exe 46 PID 2684 wrote to memory of 2156 2684 IExplorer.exe 46 PID 2684 wrote to memory of 2156 2684 IExplorer.exe 46 PID 2684 wrote to memory of 2156 2684 IExplorer.exe 46 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 3d139b69481bd8d8e19a69076e324060N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe"C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3036 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1152 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:288 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1764
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD57211193bffee1df1c05e295be7fca7e6
SHA1d3e3306b5eb2b53b1fcd22b7827ab8a4561b0a71
SHA2565205f1dbaee8385ae249e2ce14f077a62cf77f1fee28198cd1a22998276e7e85
SHA512ee4f08da3df92c503f4779168a5b99a82819965afde233cb4e2bb2a9a0f29c5f69fa07559217afe80a0efb84ce7873bbd33eb1611280a802f3df61e335b65854
-
Filesize
45KB
MD5cd60cc844ef7e3ddb36006c2215c2c29
SHA13c587d18dff91a551d19dbd0ce8ab3d935805669
SHA2567980776d1387c639a74231a5766c96332305e4bdba78c0377f9e1f610c3e3c2a
SHA512371defbea47a3d90853900d604f25eeab34b6c752b8dd69ea5143d0acfb0d4a806d3d0135eeb265b03443d40e09004a301488b77c106907b7508169e13290c18
-
Filesize
488KB
MD5f2ca9dc34a24d284fcf67a403c845a74
SHA1e5d05b78ffb92217ecee2327499b01c0669438a0
SHA2569aeeb224902b90ea4ac2cd66aeed3a5e127d9b147f6d92db77d5a97529080e9a
SHA512b994ce60add1bafa6a9774219a88835b2d6d81833b4ca2568474ad7d97365f082c0be17397e948442d06c830bc2b21eece5152a4c670340cfbc1895255ae8baf
-
Filesize
488KB
MD5728ff4b35593e33192ce29ea452a694c
SHA1b7c8d1db560407a68f974b80de876c70ec729065
SHA256b81ea80d54b5cedee73e70c86c441bed884e1b36d65d965801a37fd591e793c0
SHA5126659f59f52706b4a64c0aab201562ec667783b0cb95f82a7d2c8d6a361211d0fb67b2f867690f8b9a78251550fbfe47ef2e2b98e05cbf977c0ef18bba9f4781b
-
Filesize
488KB
MD549782caf1232e2b53940db1aa07a9d94
SHA1e5906c68dfdf4766f82af3fb7c06cfc053f0e028
SHA25665e62f04f90b4af1fa6ba3e0e4801dcda068cbab1c0b948713941b0ad2dfb1d6
SHA512a829076f8ec1bc011404d0028fe639ac654a4eb52022f5dbd9856d06415f25c524951bf7d9309e8a945f34c800b7d926b6d874434615ee190d3af999c1a7ea60
-
Filesize
488KB
MD5debdb55a67337d6167b856ae138e5eb2
SHA10d5056ab4e5d3706d7f0c93f0c480ee8b8f224e7
SHA256d0f20f4e21b86e5ad452430929b67f5496d4ab14f668d0461ae2115718e4dc57
SHA5129e84e0d48efbc3e8299596b0357507db7552bd652fddd8378f487e6b7bbcf82151630204e789d22c3d773c8a36dd76184686d157a572d64f3d5566afec1d822d
-
Filesize
488KB
MD570c6c52df955d3eb50d2ae0da427f34f
SHA1f70ac0fbf55d2263797c9db33f8821a5ca06bc48
SHA2561d76f01d806d74f5de66543a3a6a108edcacda0668a4fa8fba53b59e8c16b322
SHA51211629fcd881080d11af415c9c908dbcb3235d7d40756b32909ceb612569dfba83182e0ffae5a31c4f464b61d948582db922865b82664a695214aa1047d36db3e
-
Filesize
45KB
MD5768a6e8bcae287058124b97f406cd31c
SHA141d0c17863755818a60b9a720c1fe2a60f26517e
SHA256db52041d3ebc37bfcd55a73cd1832c003b632c56c02c021c022190c5f8fa157c
SHA512954a6152a3c57301b88efa5d32ba90b913730e387b31c6da8b567cfbcabbc5514f10cf44fe43cf3b2fe51ae83030627bf12998b70eca1c7b3c439e4e0720df66
-
Filesize
45KB
MD5913bf977b733861750e0ff731d5ea7d9
SHA18aa11000e1a6a24a57c1571de665a3a3dd6cd498
SHA2563657d42db8a6bb5f0c0f6c608467ebc84a56a7a81885ef767cb697fd9ea3c762
SHA51238561349c5241c680838d0f68f2946adcd9491e469da5006430f22888a6467ff8f7bb08f1191e51585db7954a08e3cc99c5af009f3c992428b822f2ecb80aca6
-
Filesize
45KB
MD5536c3488909514704fecabbdc899fee8
SHA135ce7b7afdff315cff2e951def17594caa3393c3
SHA256db55b868acfdd37bf42487b750606ec29661c785a940681d2c34dbc1e81b7d12
SHA512d8cf8450ab27d929e2b1fbbc49326daef814d3d9c7619bb60758aa02295c59639be4b9914139e7543f378ce967855af51bec08949f677b8daf9ca66e31cccdfb
-
Filesize
488KB
MD5c174d237b6ab287cf7e7190b9e9bf33a
SHA175c0ff9588b1358f38185fc99932b39ef240704d
SHA256834a57572a343f6ff6e3aeeb9b21836691b8351e1527d99356ba102d764424fb
SHA51262d08fcf1f6889d1d3a88f227945247e0e6f6ba00e34c4543a0aaa23816c558daae5c2a3f1cc7bc702aad86984428b7260f0750e47fe7e27a4484e3724ed2b1a
-
Filesize
488KB
MD583889d73e94d8b02d3e7b77513b6f190
SHA1ab5c7acb7a9672a7cf29362e7954a045e82435ce
SHA25692c970424e063709fa2d0f0056fac60d3dc99d1771c6ed92d1439f187cfc20aa
SHA512cf57354578d91c806322b38bb825ee604098d1d16e59fff7190a069d369610329588554251d9e4f286e13623bbedc2c664600ef779af95cc3a71c8371cbc883f
-
Filesize
488KB
MD546c2ef2116a81fccaef93aa5f9f9e69d
SHA1199c1730e5424fcd6b9e385a4ab800e7139e2fb1
SHA256d69aeaa10aa5d47d6f560f12bd0b518f2bf93f60bf2fc279c32957b52e65f9d1
SHA5122f6de471e3223c02b639a5e0c7ef9c584bf5e817aa64d1d8981bf29a11c0cf174285dd96b076d3c13d40e1ea37add3e42101c787046837534d72ee05981420e1
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
488KB
MD5ab2990b0bcfd32a91aa141f2a12cef80
SHA15ed36836e72ef81305ad8c91b206199aee7495c4
SHA256f46dd184734d52da3691155279d8fbbb2340571b6798617b926c8fcb2cc1b441
SHA512ef763fe31779d62a4913e6a97eacd579ed36a7d3651bc88077a993d7b0a68efaafd1072d194c51299839baa5bf1b811d27e34c57c1317dd2eddce26ed22191c5
-
Filesize
488KB
MD507321e97441e42e00584bd62567d7321
SHA12a10d85c7ea0efe325fcbbdc615718879d7a25b6
SHA25697566e42a2005165178766fbb595f235033e0492e687324ff33762cae20bb715
SHA5126acdc7f5954b944b51b46741e8328a01f2f2e24493cb24db439f251a55f25b9eed1f9aa98dd9cf9c229b9581837edb0b0689fae677616c3e1048f3bbde95ba1c
-
Filesize
488KB
MD58130af817e068dacf609296a9505fe1e
SHA13c0b73adb73f627f477c791996a2965c9f687c18
SHA256ad8936d7def44aa2dcddb1bf7c4da7907b1ee83b2f52ac3bafa8e86993d8149d
SHA512dcbe90cfe001108093a549609cb3676b64b21c342e8976833ba321c952fdb3d2be17c3cafa1494533369342e902e44a0f915dd7a613831a14d6db08e4b549b9e
-
Filesize
488KB
MD53d139b69481bd8d8e19a69076e324060
SHA1055411e49b2fbf273c38339547e3bf9a574574de
SHA256f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93
SHA51219bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a
-
Filesize
488KB
MD51942265a98b65c0051db57b3d8ea4106
SHA1542cd1499c29cb4abef5e57cb0bc41aaa43ef325
SHA25622440e1920ee70e1b76cc24d6dfd9530f24db8533e2e29b82f7d036bf537848d
SHA512506886a5b07d62ee343add3256d764ea0e82afd719fe88a9f56ee3380c5c2cc8a8031c196f7edc313ce42a1634edec341e21b1de6618fa592cb671490dd6dc50
-
Filesize
488KB
MD5c64677fc7d5cbeb36bd75c59a45d8950
SHA1519d6d1dede970cfa6e6ae93dccf1c9c1c7d4668
SHA256ebf67dfe479e5ec2cc7f2ee768d9d9f04ee5493dadf7bcbdd927b132a5814cb9
SHA51260060a31cd18b864c80f975fd2637398401417542c6623efa341c852fb19c89c812809628e524fda80f8e331c1a8ef43cb0449cfc7a53b92cf76b5ee17ad62b7
-
Filesize
488KB
MD5af0ae8a7c3927761018452b0aac6f6c0
SHA17417b026855533f384b731b95bb411c44130872d
SHA256c98161ee42e38b9f99aa871e3e4e64cd124fd8b60c009caa9454a5dc2575daf9
SHA512e715208b780e491d2814d09129b3ce833edd16823cd9ca36b06cf4f3729b826c31632d58899f54ece9a0118d65df292fc0578e884834400019a7fa8d5292f817
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
488KB
MD57d8dc315f3fb8fb78442c44ca03b1a17
SHA1f3d71aed66223ce50b6d850d16b554d27c7bd54a
SHA2562bba626328438bafa741fb205a7cbb8558b257999b95a45f62ccf1ffa1a5363c
SHA5124808c0ecd93b01233027c77e55810b1a87c02e480c9b0ddd6c2f7d0d7f37ab87ca6e62047ada57115186385b8797253f10bb91e65fccb8b5cf84419c93908480
-
Filesize
488KB
MD53064c5b9e10bec17a5ca4596fd7da42b
SHA18d93b3bd51463ccfbf73b07acc4585cceb1f387d
SHA25634e51a69fffa35048b39d2aa93391a613b0550cc22dd677e681e42a6a6c515b6
SHA512d5c045f6a4b999f1a7a0710f9c2759341abec5bd481edd074702a2ee8a35c4dfcfc577349c5e4fb1a26ce14d53a08522f6d47aaa235d443e7eb8fe66942f10c5
-
Filesize
488KB
MD5c04bcfefb77f208bd7c5d96e1c3af940
SHA1de0af7d75944d421cba590256dd2d5c420cb5c58
SHA256538b2db1dc67f4f162f8b1c7bac4829443e6d7bcd19b5bd654b0d078f5184f48
SHA5128cc4d1d174b598d489ac5e6d15659dc8231ecc35d822831129fbc49322cd3e838c7e6fb4f7d08b821814cee22c4b6b40d74a40edbb4a4dba8c8cc200551c470b
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
488KB
MD58bd0718d719c28e2d3c06d57b23d29b4
SHA150809f2bbc08ef41def49d5c633c8bbd72eb2fd3
SHA2569703d21e8555050f40cc5d51f90857b101398ffecc5af4637d067fa76cc0b878
SHA5127c10e4f7f3f82608352b0b379c752463337ee5b02bbfede321409e1ac65cbc06a9b8b2fc054e55cd2abb8b01c344aa5e0fbd5107b1fde43f7b03dbdd3dbad4ed