9cd63b5b3fe79bc9703258dd450bc1a93212859b5398642f9ef89eb567688a86

Analysis

max time kernel
100s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ed905b5c55649b0036c3c909112ace.exe
Size

137KB
MD5

11ed905b5c55649b0036c3c909112ace
SHA1

1ae2e6c7b4ea9ea62e81bbca3b6815255d1c614c
SHA256

9cd63b5b3fe79bc9703258dd450bc1a93212859b5398642f9ef89eb567688a86
SHA512

8e4fb2346c0b65d3c4b512b7be414ea5031cf52d579bed2e746219ab608c1f02dcab77335dd7fe0d4cf278ea5a8ac387370a6862cfb8fd27d43fd7d84bff9a33
SSDEEP

3072:IpWC4YgBPlGiyllNpWC4YgBPlGiyllNpWC4YgBPlGiyllK:2WC4YgB9GiyXWC4YgB9GiyXWC4YgB9GG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	11ed905b5c55649b0036c3c909112ace.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	11ed905b5c55649b0036c3c909112ace.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	11ed905b5c55649b0036c3c909112ace.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	11ed905b5c55649b0036c3c909112ace.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
1952	Tiwi.exe
3016	IExplorer.exe
2964	winlogon.exe
992	Tiwi.exe
2912	IExplorer.exe
1920	winlogon.exe
1812	Tiwi.exe
1160	imoet.exe
332	IExplorer.exe
2792	winlogon.exe
1532	cute.exe
2320	Tiwi.exe
1508	imoet.exe
1648	IExplorer.exe
1596	Tiwi.exe
1716	winlogon.exe
1172	cute.exe
1844	IExplorer.exe
2852	imoet.exe
2904	imoet.exe
2624	winlogon.exe
2648	Tiwi.exe
1984	cute.exe
2480	cute.exe
320	imoet.exe
2264	Tiwi.exe
2796	cute.exe
1552	IExplorer.exe
2800	IExplorer.exe
3000	winlogon.exe
676	imoet.exe
440	cute.exe
2972	winlogon.exe
1536	imoet.exe
2960	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
1952	Tiwi.exe
1952	Tiwi.exe
1952	Tiwi.exe
1952	Tiwi.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
1952	Tiwi.exe
1952	Tiwi.exe
3016	IExplorer.exe
3016	IExplorer.exe
3016	IExplorer.exe
3016	IExplorer.exe
1952	Tiwi.exe
1952	Tiwi.exe
2964	winlogon.exe
3016	IExplorer.exe
3016	IExplorer.exe
2964	winlogon.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2964	winlogon.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
2476	11ed905b5c55649b0036c3c909112ace.exe
3016	IExplorer.exe
3016	IExplorer.exe
2964	winlogon.exe
2964	winlogon.exe
2964	winlogon.exe
2964	winlogon.exe
1160	imoet.exe
1160	imoet.exe
1532	cute.exe
1532	cute.exe
1160	imoet.exe
1160	imoet.exe
1160	imoet.exe
1160	imoet.exe
1160	imoet.exe
1532	cute.exe
1532	cute.exe
1532	cute.exe
1532	cute.exe
1532	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\E:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\G:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\H:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\Y:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\I:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\B:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\J:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\W:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\L:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\U:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\V:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\P:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\N:	11ed905b5c55649b0036c3c909112ace.exe
File opened (read-only)	\??\R:	11ed905b5c55649b0036c3c909112ace.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	11ed905b5c55649b0036c3c909112ace.exe
File created	C:\autorun.inf	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\autorun.inf	11ed905b5c55649b0036c3c909112ace.exe
File created	F:\autorun.inf	11ed905b5c55649b0036c3c909112ace.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	11ed905b5c55649b0036c3c909112ace.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\shell.exe	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	11ed905b5c55649b0036c3c909112ace.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	11ed905b5c55649b0036c3c909112ace.exe
File created	C:\Windows\tiwi.exe	11ed905b5c55649b0036c3c909112ace.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	11ed905b5c55649b0036c3c909112ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	11ed905b5c55649b0036c3c909112ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2476	11ed905b5c55649b0036c3c909112ace.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1952	Tiwi.exe
1160	imoet.exe
2964	winlogon.exe
3016	IExplorer.exe
1532	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2476	11ed905b5c55649b0036c3c909112ace.exe
1952	Tiwi.exe
3016	IExplorer.exe
2964	winlogon.exe
992	Tiwi.exe
2912	IExplorer.exe
1920	winlogon.exe
1812	Tiwi.exe
1160	imoet.exe
332	IExplorer.exe
2792	winlogon.exe
2320	Tiwi.exe
1532	cute.exe
1508	imoet.exe
1648	IExplorer.exe
1596	Tiwi.exe
1716	winlogon.exe
1172	cute.exe
1844	IExplorer.exe
2904	imoet.exe
2852	imoet.exe
2624	winlogon.exe
2648	Tiwi.exe
1984	cute.exe
320	imoet.exe
2480	cute.exe
2264	Tiwi.exe
2796	cute.exe
1552	IExplorer.exe
3000	winlogon.exe
676	imoet.exe
440	cute.exe
2972	winlogon.exe
1536	imoet.exe
2960	cute.exe
2800	IExplorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1952	2476	11ed905b5c55649b0036c3c909112ace.exe	28
PID 2476 wrote to memory of 1952	2476	11ed905b5c55649b0036c3c909112ace.exe	28
PID 2476 wrote to memory of 1952	2476	11ed905b5c55649b0036c3c909112ace.exe	28
PID 2476 wrote to memory of 1952	2476	11ed905b5c55649b0036c3c909112ace.exe	28
PID 2476 wrote to memory of 3016	2476	11ed905b5c55649b0036c3c909112ace.exe	29
PID 2476 wrote to memory of 3016	2476	11ed905b5c55649b0036c3c909112ace.exe	29
PID 2476 wrote to memory of 3016	2476	11ed905b5c55649b0036c3c909112ace.exe	29
PID 2476 wrote to memory of 3016	2476	11ed905b5c55649b0036c3c909112ace.exe	29
PID 2476 wrote to memory of 2964	2476	11ed905b5c55649b0036c3c909112ace.exe	30
PID 2476 wrote to memory of 2964	2476	11ed905b5c55649b0036c3c909112ace.exe	30
PID 2476 wrote to memory of 2964	2476	11ed905b5c55649b0036c3c909112ace.exe	30
PID 2476 wrote to memory of 2964	2476	11ed905b5c55649b0036c3c909112ace.exe	30
PID 2476 wrote to memory of 992	2476	11ed905b5c55649b0036c3c909112ace.exe	31
PID 2476 wrote to memory of 992	2476	11ed905b5c55649b0036c3c909112ace.exe	31
PID 2476 wrote to memory of 992	2476	11ed905b5c55649b0036c3c909112ace.exe	31
PID 2476 wrote to memory of 992	2476	11ed905b5c55649b0036c3c909112ace.exe	31
PID 2476 wrote to memory of 2912	2476	11ed905b5c55649b0036c3c909112ace.exe	59
PID 2476 wrote to memory of 2912	2476	11ed905b5c55649b0036c3c909112ace.exe	59
PID 2476 wrote to memory of 2912	2476	11ed905b5c55649b0036c3c909112ace.exe	59
PID 2476 wrote to memory of 2912	2476	11ed905b5c55649b0036c3c909112ace.exe	59
PID 2476 wrote to memory of 1920	2476	11ed905b5c55649b0036c3c909112ace.exe	58
PID 2476 wrote to memory of 1920	2476	11ed905b5c55649b0036c3c909112ace.exe	58
PID 2476 wrote to memory of 1920	2476	11ed905b5c55649b0036c3c909112ace.exe	58
PID 2476 wrote to memory of 1920	2476	11ed905b5c55649b0036c3c909112ace.exe	58
PID 1952 wrote to memory of 1812	1952	Tiwi.exe	57
PID 1952 wrote to memory of 1812	1952	Tiwi.exe	57
PID 1952 wrote to memory of 1812	1952	Tiwi.exe	57
PID 1952 wrote to memory of 1812	1952	Tiwi.exe	57
PID 2476 wrote to memory of 1160	2476	11ed905b5c55649b0036c3c909112ace.exe	56
PID 2476 wrote to memory of 1160	2476	11ed905b5c55649b0036c3c909112ace.exe	56
PID 2476 wrote to memory of 1160	2476	11ed905b5c55649b0036c3c909112ace.exe	56
PID 2476 wrote to memory of 1160	2476	11ed905b5c55649b0036c3c909112ace.exe	56
PID 1952 wrote to memory of 332	1952	Tiwi.exe	55
PID 1952 wrote to memory of 332	1952	Tiwi.exe	55
PID 1952 wrote to memory of 332	1952	Tiwi.exe	55
PID 1952 wrote to memory of 332	1952	Tiwi.exe	55
PID 1952 wrote to memory of 2792	1952	Tiwi.exe	54
PID 1952 wrote to memory of 2792	1952	Tiwi.exe	54
PID 1952 wrote to memory of 2792	1952	Tiwi.exe	54
PID 1952 wrote to memory of 2792	1952	Tiwi.exe	54
PID 2476 wrote to memory of 1532	2476	11ed905b5c55649b0036c3c909112ace.exe	32
PID 2476 wrote to memory of 1532	2476	11ed905b5c55649b0036c3c909112ace.exe	32
PID 2476 wrote to memory of 1532	2476	11ed905b5c55649b0036c3c909112ace.exe	32
PID 2476 wrote to memory of 1532	2476	11ed905b5c55649b0036c3c909112ace.exe	32
PID 3016 wrote to memory of 2320	3016	IExplorer.exe	53
PID 3016 wrote to memory of 2320	3016	IExplorer.exe	53
PID 3016 wrote to memory of 2320	3016	IExplorer.exe	53
PID 3016 wrote to memory of 2320	3016	IExplorer.exe	53
PID 1952 wrote to memory of 1508	1952	Tiwi.exe	52
PID 1952 wrote to memory of 1508	1952	Tiwi.exe	52
PID 1952 wrote to memory of 1508	1952	Tiwi.exe	52
PID 1952 wrote to memory of 1508	1952	Tiwi.exe	52
PID 3016 wrote to memory of 1648	3016	IExplorer.exe	51
PID 3016 wrote to memory of 1648	3016	IExplorer.exe	51
PID 3016 wrote to memory of 1648	3016	IExplorer.exe	51
PID 3016 wrote to memory of 1648	3016	IExplorer.exe	51
PID 2964 wrote to memory of 1596	2964	winlogon.exe	50
PID 2964 wrote to memory of 1596	2964	winlogon.exe	50
PID 2964 wrote to memory of 1596	2964	winlogon.exe	50
PID 2964 wrote to memory of 1596	2964	winlogon.exe	50
PID 3016 wrote to memory of 1716	3016	IExplorer.exe	49
PID 3016 wrote to memory of 1716	3016	IExplorer.exe	49
PID 3016 wrote to memory of 1716	3016	IExplorer.exe	49
PID 3016 wrote to memory of 1716	3016	IExplorer.exe	49

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	11ed905b5c55649b0036c3c909112ace.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	11ed905b5c55649b0036c3c909112ace.exe

C:\Users\Admin\AppData\Local\Temp\11ed905b5c55649b0036c3c909112ace.exe
"C:\Users\Admin\AppData\Local\Temp\11ed905b5c55649b0036c3c909112ace.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1952
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1172
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:332
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1812
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3016
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2480
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1716
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1648
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2320
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2964
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1844
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1532
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2264
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2972
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1536
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2960
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1160
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2912

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:676

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\Tiwi.exe
C:\Windows\Tiwi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
72KB

MD5
a176dc7c98b52fb5190e0956fd935173

SHA1
f75729e6f57cd333706042120eefec86fa00ceb8

SHA256
098160cec2930cffc4204424dc6225a6abe3f69a4a1067aa74606c1651459845

SHA512
2627fba34c73ba21aedb5d4548a246107301120ba3226c2355f6307ab0fa5e09005f86cdd1a7d8ec161ad6110385691d6f02888ec00e35aeee84ae8754de0989

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
1a70422f5a2e2166caee334ab3fcd4de

SHA1
fcf12a7dfdbf242d507c9622c2527121d8de33ee

SHA256
21f96824e567438c32fb5badcc3fefeb2b47a1e7a1735119d3f4813ed6202fb7

SHA512
7025210df6f6047df75ca338070b632e830e016ad045bcdd85213335cc34783719a1b95cfe03c7037e459724aa2e9a1b5e3f2a6e4ded5fd390d04761363209e1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
137KB

MD5
1899ba3076bfa6a60c72e50bee4149c3

SHA1
d77b7dfc6b1825579401cdccb8d8bd629d614842

SHA256
e838f4283f0a4e798ca43f0ab4e701ecbd506938e47638132dbf0fa7c603b0f8

SHA512
ede0393ad35622f3847cd30fc5ca423b594d4695934771f68b18d3d41eef72e074b79b8c97010e2994d1d8269b69765c3d1e2be5f94b77efe4e8b486f38f6871

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
92KB

MD5
43800c71e5a9a331dc63ccb3e5ca9f1d

SHA1
d550b7d3a8e5fbb0cd175b0c7f7f64b2d36965e7

SHA256
c6a467dfaad76f68c3f63b81f6ca3ae0a5e8f915631e733d8c65e4f07d8d5841

SHA512
d86ed814e9203f23f3ed1af99a434c076b6a8e17299fec5149b7d429de893b51350b9d136828a1f532b0cdeb741ae5df1ec0eb791b07298575a0b2a670347a0e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
137KB

MD5
9403d313fa4b663777a1a8528b8b7b9f

SHA1
83d5efc0df173a1ea47e10e67bc0d733991175e9

SHA256
c9f611f6470a1067b9c10cf4f983d8945e844e7bb21d5a2aed39266e901f1f69

SHA512
7594e5e263e64277b3943569a19a2b07f5e01532370c624fd2a4cfb11690ab554c72d497daebb54a53137fc731ebc4b69760d5082ce18d08ddf0990db3223cab

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
62KB

MD5
0ab4a1d7686b0f946f85c62165df722f

SHA1
cdffea65e40d2f18f1682ecf1cb65dd0a885cd58

SHA256
dfcbb7e2cd9c0148f5d90189662d0fb8b545d2807cb392aa9212c6a89976b112

SHA512
74f766ac85f03788e8c456bc8b4e00c65fe2026c7f2098644f7ec90e4e34d52c2aaff0a87e6861d985ba69a3500f8d5768ef72ff074f96a435b1376571b6908d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
2dbb786f3db5aff37e98a991d407d124

SHA1
2fa7bc7860d2ca08d92172f880b3adbacb3d2cec

SHA256
24d835b593d1dad0c8d4e9c78ae21e1ce5e894fc4e7265c1eec8129e731d1167

SHA512
005fe91b5a5809e91bf604dd0292d9d30a3b23d0afcc138562d535d982d2d9ae2fcba3769ece78ceb6dc7aceb2361575fe3ca9f1d2d3f91113c361c116b92c5e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
7KB

MD5
ff4964d1f0560a8bb4701b8845f62e45

SHA1
21582e869b01f577a1c9117b752c663b2cd1f3e7

SHA256
fa2a0a858265e639c86094b57fee6733dcaf6287ac231a45a76055c182bd187b

SHA512
4bd7a6eb9032d9f61ac9bd18c187da7a35a95336bdaf2b511f3945025c3043f52b1ef494a7afeb474aed7d51553494573f828d484278c7d12c623e2bfe23e761

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
08fbee4c69e66d5eb9b41c754e493411

SHA1
5bd7d8f5c2e14008dc0fd85f8bc123646722be82

SHA256
c4c316f48c1b26c0adb0dbd6d91ec4ab8b4c673ab6e2295279ea38c797c9bf7e

SHA512
76b888d7597debd18a460f3a5039a32cf352ae6f1f3613f18f9cc31e3edff8d60ce4b4e1c1df7ea51593a12549dd32b1cad2e9e4f1545671bcc6c056e9891df1

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
35KB

MD5
f6a2d47216519975b084b2962b426510

SHA1
5ddef406846278c6a66b3a874cca7e9129de0105

SHA256
97c4c21e2b78ab97dc95132e177045e902aff2b5ad27d4edb77717dfaa4e15c3

SHA512
3945fe3b8e646d7b7cf1263cb56adb39e0593923e3052d1ecd29e7d79b94594dd9f67cbf987bfcd6ae960b0d199306d8fcec94672818793ca3248c4d588eb860

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
137KB

MD5
9d7f32878a64ede2e22a8041fd5b235a

SHA1
f34d5a33b4ddbc80e3c52e840c5d499c0563fda7

SHA256
f1882fa0ad4deef498d864e22fe75b8103e37dc122772d1dec15ee14b27ce015

SHA512
2fc3cb51e7f03c9452dba8d4a93dc5ce632a3be71ae2f615989227229a480d623b8de651044b7ead8f41d383c6601e8f33032125873502a5b054a3a17dc47e1f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
137KB

MD5
cbac61f1cce38514cc8c4f4eef1afcb9

SHA1
00d73fbe69886b4856ecd32f3b1c70d8721dfd74

SHA256
0e78152514940d769db7ec31bfc5d5eb8fc40887832af0c54f3b1ca103c08c80

SHA512
365ef2139f571e0909d1b2b28e939488a56d651fbd01cdcffe8dda939eee1738da41b9ae0324fe75ca7d80decea82a3830654eea50f27a3bb2352487952c9c12

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
59KB

MD5
9bbea99368f15aa0529c4939950c7c6b

SHA1
374465c11f95c1c58a5625a2ef1d4523f11076fd

SHA256
a098c835c9cd756db1b529b9b1b1d64717ef62153f11262eef77ff37d14f85a5

SHA512
8f8f935acc6b5020d0590aace9ffe9823c85f061c52f1d7c61f1a31744be2231b5f8b07401399fd3a7f0fd791cb11ced92a38088f485e6b17afa092150cb5b00

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
298KB

MD5
5e7869a3cbe5f695d0876d79d494dd40

SHA1
830005c9fb0a7458f7cc36c45b1c201060e11b80

SHA256
22a23b118ac0443dca6dce3868131346f734603ccfd09a6e281a029962be20e7

SHA512
478fa6c7897d2588a9bc4ab95309c1a303b6409815af49193076e702855037e688edb3d8f70b9b3cb74a4ca6fb78746dd587836019f56e6e98c2bab05343ba87

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
16KB

MD5
a8e6ccc4ee7024760d4bc6965379d708

SHA1
0ddc8ff86e5495fcf36e866e723a3a8416b95d69

SHA256
fe8438dc232bd7b544ab03ba3829a34866289550a6639154fb7650d9e2248fb2

SHA512
49e2aa890db6fbcd2ae81dcd7daac39faf8062819f96042641610fa1bdc0024effe9c09780c3e4a30035b8b38370d3211df99b38b8ebff68ce24106ed2215f26

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
136KB

MD5
52154e170e9dcfda6b1341184be1a575

SHA1
6d117daed07a7b5b0afb14bdbdfedaf4764e8848

SHA256
e455b3b17ce4a2e9e18389a461059a970517b6b3a50277012c5dc9f5274a0e6e

SHA512
b7240081d40926a0be61a3f391e52a1fd4ba65f55a1e67c7cf8fdcd6781e289cf99968dc0b0f6c2647878c7fc9fe50ac19855151997e91a96cfc5ea4f66e1a12

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
e151d077fa24f0de021eb2787abc8775

SHA1
061858c8d35691df0d43afc441f94fef98d08ca8

SHA256
01aef2987cd383ca91fb98f8cc215438ef6cefb979334b1ee8abd14295385b81

SHA512
40e12011f52aeb02ae38d4f342214a2c7fdb21e242172ff91dd68d1886fa3b36561d10dd8ea1c7a528e3a12fb2b2af4107e6fdac6ac4556566a4d3de09edb440

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
2420b2d476574eb90d39e291925c524a

SHA1
fa567f40d9aa32e415b629051d4b12c68bed55d6

SHA256
142dea904c62c1b2e736d21bb1044a3509618a8db209d1bccdf519894832444c

SHA512
41b1bcc832d6d7881ff285def678ca41db1f66e2f709ab573e406aacab5fdd3585dd32f91e507d7069fb5c562b974f6b4a2b601d9710777855a642edbbd827ed

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
1d8b12f82560a8d2e293481184497c76

SHA1
cd9d4b6f2bfd5afaf77ae790967a544fe040c3a3

SHA256
397b32ac34a954130930c58b76cd5ab2519f6affc1ad318ad56b1a3de2130a78

SHA512
facf3211ab0dc1f5ca4c421c511086d697bea5be0e94b8b663234aee421a220ac10018edcbc0cd5d32aea24e1f98cbcc1f7871227a3090948d15cbb68b7ea037

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
11ed905b5c55649b0036c3c909112ace

SHA1
1ae2e6c7b4ea9ea62e81bbca3b6815255d1c614c

SHA256
9cd63b5b3fe79bc9703258dd450bc1a93212859b5398642f9ef89eb567688a86

SHA512
8e4fb2346c0b65d3c4b512b7be414ea5031cf52d579bed2e746219ab608c1f02dcab77335dd7fe0d4cf278ea5a8ac387370a6862cfb8fd27d43fd7d84bff9a33

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
137KB

MD5
01dba6c019dea5919011a48c92b5dc1e

SHA1
94b19c982dbc718d548a09b3320c9eafae8e4237

SHA256
8eb31f2236a6610fd35e478d2d773cee440b98e4f7da4015624ddff7d3963182

SHA512
c91dc77543ab301bfaea09cfbd125194faa534c34c8f8ffa3c418ac9c50634437815a21c793639165e56e9e370bdffcc932ee4da1b93537f5b8b9a2766110240

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
137KB

MD5
2108096689039bdf8315c056cfb4339c

SHA1
f22845b9ef7a5600c8cf9cf9263a216407724dad

SHA256
e202827a1a18e42b5672f4c082dd2d0f63f5c56e8498d3a2f120f1f67cc66966

SHA512
1d56c41e7f43de75c147a46b7432c38d5acffbe25a28ccd8daae066097c4eeb34329531d4760724029c140559ec05d65f21c4edcb8c16be64911c2ac16a3c2fb

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
137KB

MD5
62078b0cdc3e1b3a47226b9c296d6e91

SHA1
56f5ffa575e84fab97bf1f772f26246952ee9272

SHA256
980b6f71b1b0326c1b199706d9f477647d58b8711b5c0908850f51cb4134394b

SHA512
c887c147d6dceb9cda0c00a1dfccf51fbdec2f06e338f8bce8ead4398a4ef9a2c95b56cf4ca0754be208788c49d4af03d6a27a91bae70aadee8d303ea82a7681

Download Submit
C:\Windows\tiwi.exe

Filesize
137KB

MD5
0aaab98c6ec22d7ffc66d6792dede0f5

SHA1
5c54e3f807a52075bbca88dbaaa2839261b1aaaa

SHA256
00f8bb89a73713f042d64f4071eeaa8d7175c5bb4efd1270c1154c5d7673c1f3

SHA512
76a7fdcf1732719e78804022e7d037abd480eaf526a943603f4c929f17d98a2855f365249c0aee0f4defc2cc529f3cab84feb334867985b7d229e73ce84589a6

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
94KB

MD5
590ab46b549257fb15177b46d38463c7

SHA1
7f78c945f016b5d8b656f2d819b6b88d4c169325

SHA256
20fb0ea1d066ed6ceeb9c09c7e73bc6f0bce38ae144bbe5430575f56061fdf52

SHA512
43bd85d3a11214b2834fb272442864035c2f8b48d251fb7db3063c0eb3150101a9017f04812581d7c3812288f71b21155fe53aa53c51cac5cf90ff41ea6d4f7e

Download Submit
C:\tiwi.exe

Filesize
137KB

MD5
727d8832569b2c95a6fd009f8690251b

SHA1
0d32d98d451feaf07db22af2ef2e801d18ecb2a9

SHA256
04fb21372cc08c5969e5c1024d38ead9eaaf5cab39f4e365973c818aa2455fee

SHA512
b1a6c5b063580e42ce5c9b741a7b5b4a7aa84e4b5172011b0f76db4e9bdbba9378ddc64db5b601f8873151cc1c798f68cf4886c8a0df93371151fa03f9e9fd29

Download Submit
C:\tiwi.exe

Filesize
137KB

MD5
ebd07027272b96f066f88ed4dbf0aac1

SHA1
d23d6f4c5bb4d3dadbc59644285d907a511aea42

SHA256
127a85af769ad5090b5f3167f54ce839b643f163de52f7e1afa3b54f7068beea

SHA512
e6fc28fc51db0ecad3e32aa3668568b801ba369637230bbc46cb369eb3fea793f0d6db89162dee49336d68d333cdf9a179a1efa0f6785f06546934590e91b7ae

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
137KB

MD5
92c4839f1e995f0e46ba8e8ad00a2c7c

SHA1
f57a12d24221b9878b2f1eaaa072d44be25cc458

SHA256
1748569ee1766fa1411845d9a208e7742e7b9184d02f30433cf2e6b7697ac37f

SHA512
fd056285179b0d7e7ae58228ebb0c11330b1b78b9ca492f9c4c04960c4cb156d02970b437ad2a605cc9674c5cbf0ff02e29fbf831b029891a96cdf00484bfd46

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
126KB

MD5
abe76f9af24646e3741b6597341976e8

SHA1
d918363ecb6d3b45d35ed37746c89be10641b862

SHA256
6fe133d509be0c8e7b26c45028ff5b4f9c84f2f8d49256295bc640c8695d0206

SHA512
abd0923876ed9804d831c713c4485b6a97ea299f2e839e15e77ed302f4429d412aafbc639f1046cc025e0aeae6133610ab0a593c5adbf4093e4497c85465362f

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
137KB

MD5
4e1e516235be3529accb910cb791885a

SHA1
7ff3b28102286e5035baf0e18404c50535822051

SHA256
caeccda7f7357bc852a798b2aa7bfe628244e16a71468212b58a6ffd95f2910b

SHA512
1353297dd21372e32cf1731d5fb42c4ee51661291e8ed52a6e21d328503d280902982b3a3d5179865c496cc686ad2771c5c060dc186b23aba9d522015f53c271

Download Submit
memory/320-461-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/332-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/332-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/676-475-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/992-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/992-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1160-417-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1160-342-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1160-484-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1160-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1160-493-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1160-491-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1160-468-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1172-400-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1508-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-485-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-329-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-512-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/1532-504-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-359-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1536-492-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1536-496-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1552-466-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-396-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1648-343-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1648-357-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1716-398-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1812-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1812-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-352-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-279-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-421-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-481-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-382-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-277-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-381-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-358-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-351-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-347-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1952-332-0x0000000002510000-0x000000000253B000-memory.dmp

Filesize
172KB

Download
memory/1984-463-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2264-465-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2320-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2476-175-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-123-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2476-339-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-186-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-188-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-100-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-247-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-308-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-98-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-355-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-104-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-464-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2476-325-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-118-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2476-259-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-257-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2476-255-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2480-457-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2624-427-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2648-460-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2792-331-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-471-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2800-544-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-384-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2852-422-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-401-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-403-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-499-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-426-0x0000000002D30000-0x0000000002D5B000-memory.dmp

Filesize
172KB

Download
memory/2964-479-0x0000000002D30000-0x0000000002D5B000-memory.dmp

Filesize
172KB

Download
memory/2964-480-0x0000000002D30000-0x0000000002D5B000-memory.dmp

Filesize
172KB

Download
memory/2964-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-483-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-486-0x0000000002D30000-0x0000000002D5B000-memory.dmp

Filesize
172KB

Download
memory/2972-490-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-472-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-391-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/3016-482-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-111-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-341-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/3016-404-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/3016-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-340-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/3016-425-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/3016-330-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download