67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65fdbb4874824edbae3b8ddd9758f7f6.exe
Size

274KB
MD5

65fdbb4874824edbae3b8ddd9758f7f6
SHA1

13fc501a38199ad1e58e301eccc72f08a490068b
SHA256

67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
SHA512

60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
SSDEEP

6144:2WC4YgB9Giy6WC4YgB9GiybWC4YgB9Giy6WC4YgB9GiyOWC4YgB9Giy6WC4YgB9d:FtJ9GiwtJ9GiztJ9GiwtJ9Gi8tJ9GiwL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2564	Tiwi.exe
2904	IExplorer.exe
2996	winlogon.exe
2796	Tiwi.exe
572	IExplorer.exe
1376	winlogon.exe
2476	Tiwi.exe
1160	IExplorer.exe
2052	imoet.exe
1096	Tiwi.exe
1496	Tiwi.exe
896	winlogon.exe
1724	IExplorer.exe
2284	imoet.exe
2836	IExplorer.exe
2840	winlogon.exe
2892	winlogon.exe
3012	imoet.exe
2956	cute.exe
2952	cute.exe
2752	cute.exe
2636	imoet.exe
2920	cute.exe
2780	imoet.exe
1692	Tiwi.exe
1140	cute.exe
2800	Tiwi.exe
2648	IExplorer.exe
1148	winlogon.exe
1420	imoet.exe
2552	cute.exe
2676	IExplorer.exe
2064	winlogon.exe
2540	imoet.exe
1972	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2564	Tiwi.exe
2564	Tiwi.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2564	Tiwi.exe
2564	Tiwi.exe
2904	IExplorer.exe
2904	IExplorer.exe
2564	Tiwi.exe
2564	Tiwi.exe
2996	winlogon.exe
2996	winlogon.exe
2904	IExplorer.exe
2904	IExplorer.exe
2904	IExplorer.exe
2996	winlogon.exe
2904	IExplorer.exe
2564	Tiwi.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2564	Tiwi.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2904	IExplorer.exe
2904	IExplorer.exe
2996	winlogon.exe
2996	winlogon.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2996	winlogon.exe
2996	winlogon.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2956	cute.exe
2956	cute.exe
2956	cute.exe
2956	cute.exe
2956	cute.exe
2956	cute.exe
2956	cute.exe
2052	imoet.exe
2052	imoet.exe
2052	imoet.exe
2052	imoet.exe
2052	imoet.exe
2052	imoet.exe
2052	imoet.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	65fdbb4874824edbae3b8ddd9758f7f6.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\U:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\V:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\G:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\N:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\W:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\T:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\R:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\H:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\Y:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\M:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\S:	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\X:	imoet.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\tiwi.scr	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\shell.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Mouse\	IExplorer.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2564	Tiwi.exe
2052	imoet.exe
2996	winlogon.exe
2904	IExplorer.exe
2956	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1204	65fdbb4874824edbae3b8ddd9758f7f6.exe
2564	Tiwi.exe
2904	IExplorer.exe
2996	winlogon.exe
2796	Tiwi.exe
572	IExplorer.exe
1376	winlogon.exe
2476	Tiwi.exe
2052	imoet.exe
1160	IExplorer.exe
1096	Tiwi.exe
896	winlogon.exe
1496	Tiwi.exe
1724	IExplorer.exe
2284	imoet.exe
2836	IExplorer.exe
2840	winlogon.exe
2892	winlogon.exe
3012	imoet.exe
2956	cute.exe
2952	cute.exe
2752	cute.exe
2636	imoet.exe
2780	imoet.exe
2920	cute.exe
1140	cute.exe
2800	Tiwi.exe
2648	IExplorer.exe
1148	winlogon.exe
1420	imoet.exe
2552	cute.exe
2676	IExplorer.exe
2064	winlogon.exe
2540	imoet.exe
1972	cute.exe
1692	Tiwi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2564	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	28
PID 1204 wrote to memory of 2564	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	28
PID 1204 wrote to memory of 2564	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	28
PID 1204 wrote to memory of 2564	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	28
PID 1204 wrote to memory of 2904	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	29
PID 1204 wrote to memory of 2904	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	29
PID 1204 wrote to memory of 2904	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	29
PID 1204 wrote to memory of 2904	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	29
PID 1204 wrote to memory of 2996	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	30
PID 1204 wrote to memory of 2996	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	30
PID 1204 wrote to memory of 2996	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	30
PID 1204 wrote to memory of 2996	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	30
PID 1204 wrote to memory of 2796	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	31
PID 1204 wrote to memory of 2796	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	31
PID 1204 wrote to memory of 2796	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	31
PID 1204 wrote to memory of 2796	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	31
PID 1204 wrote to memory of 572	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	58
PID 1204 wrote to memory of 572	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	58
PID 1204 wrote to memory of 572	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	58
PID 1204 wrote to memory of 572	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	58
PID 1204 wrote to memory of 1376	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	57
PID 1204 wrote to memory of 1376	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	57
PID 1204 wrote to memory of 1376	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	57
PID 1204 wrote to memory of 1376	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	57
PID 2564 wrote to memory of 2476	2564	Tiwi.exe	56
PID 2564 wrote to memory of 2476	2564	Tiwi.exe	56
PID 2564 wrote to memory of 2476	2564	Tiwi.exe	56
PID 2564 wrote to memory of 2476	2564	Tiwi.exe	56
PID 2564 wrote to memory of 1160	2564	Tiwi.exe	55
PID 2564 wrote to memory of 1160	2564	Tiwi.exe	55
PID 2564 wrote to memory of 1160	2564	Tiwi.exe	55
PID 2564 wrote to memory of 1160	2564	Tiwi.exe	55
PID 1204 wrote to memory of 2052	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	54
PID 1204 wrote to memory of 2052	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	54
PID 1204 wrote to memory of 2052	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	54
PID 1204 wrote to memory of 2052	1204	65fdbb4874824edbae3b8ddd9758f7f6.exe	54
PID 2904 wrote to memory of 1096	2904	IExplorer.exe	53
PID 2904 wrote to memory of 1096	2904	IExplorer.exe	53
PID 2904 wrote to memory of 1096	2904	IExplorer.exe	53
PID 2904 wrote to memory of 1096	2904	IExplorer.exe	53
PID 2996 wrote to memory of 1496	2996	winlogon.exe	52
PID 2996 wrote to memory of 1496	2996	winlogon.exe	52
PID 2996 wrote to memory of 1496	2996	winlogon.exe	52
PID 2996 wrote to memory of 1496	2996	winlogon.exe	52
PID 2564 wrote to memory of 896	2564	Tiwi.exe	51
PID 2564 wrote to memory of 896	2564	Tiwi.exe	51
PID 2564 wrote to memory of 896	2564	Tiwi.exe	51
PID 2564 wrote to memory of 896	2564	Tiwi.exe	51
PID 2904 wrote to memory of 1724	2904	IExplorer.exe	50
PID 2904 wrote to memory of 1724	2904	IExplorer.exe	50
PID 2904 wrote to memory of 1724	2904	IExplorer.exe	50
PID 2904 wrote to memory of 1724	2904	IExplorer.exe	50
PID 2564 wrote to memory of 2284	2564	Tiwi.exe	49
PID 2564 wrote to memory of 2284	2564	Tiwi.exe	49
PID 2564 wrote to memory of 2284	2564	Tiwi.exe	49
PID 2564 wrote to memory of 2284	2564	Tiwi.exe	49
PID 2996 wrote to memory of 2836	2996	winlogon.exe	48
PID 2996 wrote to memory of 2836	2996	winlogon.exe	48
PID 2996 wrote to memory of 2836	2996	winlogon.exe	48
PID 2996 wrote to memory of 2836	2996	winlogon.exe	48
PID 2904 wrote to memory of 2840	2904	IExplorer.exe	47
PID 2904 wrote to memory of 2840	2904	IExplorer.exe	47
PID 2904 wrote to memory of 2840	2904	IExplorer.exe	47
PID 2904 wrote to memory of 2840	2904	IExplorer.exe	47

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe

C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe
"C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1204
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2956
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1160
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2476
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2904
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3012
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1096
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2996
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2836
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1496
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2052
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2064
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:572

C:\Windows\Tiwi.exe
C:\Windows\Tiwi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\Tiwi.exe
C:\Windows\Tiwi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
274KB

MD5
a1515e2145e4a1e1d1dee07a7b9884ed

SHA1
e81f5bdbb3610ac09a858e9c94737507e123827e

SHA256
40fba1ee1098ac055debc2ba346588a1abc58419c0c4c186c7ba41b753382683

SHA512
c86c7943b90b5337d7d9550cc5cc8a6087dea91247c2643fbebf1157b8ed347a649a160681c86a24755cf1b71b5490f0e6f484550e85326a31577f8b7dd06777

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
8119ad941a12f4dc1f4a9828d3a94c9e

SHA1
0e7424d0f597bb9e2f36eb3a642768dedd8a7de2

SHA256
62f54c698e0944f63a9ea8ef848da87c7ef7a90cdfa38567062c7a66b02bfb59

SHA512
e886f4b474a8706209364107d4b0750a90685a6572d0be641e98d50be9f86da54494632befb4c239dd7db1ef54b8f84945e338568c1c49cdba48d3a2ed3c0399

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
116KB

MD5
d1caaedf7dcc078e5272243ea2755c21

SHA1
fe99f058db9c61424da63c62f012dbb2f82f2658

SHA256
4235da98bcb0d5eac4e8614e308a6cae55b464f29275abd88e7a39456966a846

SHA512
b8a8f8ab92ed4a57447356c3983bb4b0757b56bb6af60fb1f4d5f49184dd02918e9ee874c2162cfb29e0eb36b075d907ebdf2f2333cabad76af0750c2a8ced00

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
40KB

MD5
e36f9d52ecd7f97239fb76641043bfcd

SHA1
504f16b49e16dc97d81249e5731e36b29937b89c

SHA256
ce8e7c3bcf18d2839decb2360460f166c6b69a62c375b201a7c01fc9b9d48341

SHA512
d1ac15e19ce105710cde9fbd3bfe90f225ec8417ac590b0aeeaeaf40a73bae4a770561b12f11ebd3874d61d2dcc2acea9c63a4c0dafda378e396576dd68e5273

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
169KB

MD5
797f02b95cdb321406fc6c8a1e93fc83

SHA1
a86fe1cc8ad30bcc6f2b85479157e8c4fba6f26e

SHA256
c0c87a9ce674853f4d86e414bdfe49074c6409f6659ebc249613ce44484f888f

SHA512
618075af3edd2cb55acc86fd4c4a5823e93c48522019a44b39b3bcbdc39a383c24c21b7df6a2d93d5730136ab363e799b11805191ff4b385e904f8833b3909e0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
274KB

MD5
937c02a2f4fc1705d464f841440571ab

SHA1
a641bd9d5651bd5c7d7dc3f7006bc950d89e6347

SHA256
45d837b052b0ace5fd1ac9518029d1a54bad49d825235cbb381037ae68a5ce21

SHA512
3a7ca1d14c79b906b339e288efdd20aee6b233d98d35350e09293aa424fedd7ed6e4dde7d17d83ecaf57b41fe404cf817ab35173c227519211164ee68a0df869

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
274KB

MD5
c09a1125487eaaeb148b70534cdbd484

SHA1
3e55a152f40a29bb43e5d96d2339b6850345993d

SHA256
0caefc8a189ba2f8c1cc9f6361870a05ccaaa882904f6981472b729dae406089

SHA512
62ef792b7d7419a23d2ec721c28147589e21a3168b132bd47f7881f8b8a24fb16d29510ca04e5777ebce5500c01cb56a740e8d733632f355598a251292af60c6

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
217KB

MD5
b7f4b9831e5319b67e3fffec007a2e4f

SHA1
fb806b247ad05488e1c193d800796cd93d1fceb8

SHA256
a502ea3855b869929ec0e802824a01724260da34b4ce249f912030405a7e9d61

SHA512
8babd8ca9954e3609c0b13c9f3f4b91076f7d184825806aa625b598369bc86548a6fd40325b9e7fce5072db0ced95c500a441d323bbcb251d59272c22654ffb8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
2ef6d0776eaf1b1354400f54934fc3d9

SHA1
ba07f6d2438a1bf1b6fd2e22167599aeafe5d422

SHA256
5f66dc37c4315d8156a0af2f9c43c7f91672468b20170683ab6d5ca37845773f

SHA512
074192140df5c2e19f62c8d42e20498c76fd246ca148de29ddbd41ad41d6756e599697e39401aba9a2bd98e3be22072c8bdcd5a4f26a8f4ae384c200a5549003

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
8e07dcd7f47a5515f7fa68da04b2e16c

SHA1
72cde03721ab41e6c69a60e18b6e79bfda22eb50

SHA256
90dd8449544083798d80b470f8aa5c82873d93147e4f3214f15faafe7ef9b080

SHA512
b4e36f283e86a95fa730f5aa173a3502d5fd0e5c3d634afbb476e8d501c69b47c063d32542cae3fdbf0ee91b7f0ca8db2391aa4e74865cc4628e8f7a3248c961

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
4a13daa8e597656281e6bc730524013d

SHA1
04ff5c3af82ff96cc6ac1ef5ade44608bb05e253

SHA256
7a631158d9fc9e349fb0b87b67ef1e81571752bd81b55021ffcc1af06f427f91

SHA512
54c1a125ad3b90c118d00bc0deb99fd684768dbfe02475b41514495da3674897563477b6f4efbba50fb72f990187f576730c8af6eb4c4816ec688216fc2c8fc2

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
116KB

MD5
65880c4a980ee3d3c9cb68669d09d3f9

SHA1
1c3b47745d72de11c5d93f8486a7e237738da482

SHA256
15bdadaa6b83e4768c78ebd99bb7d17d61c583fb0b1258bbb76a6ec6613eb3cc

SHA512
bda4ba871e3b1972a5b7ceeca0e4a467258c84d44ebcbbbf7076405b448d94e75c84485042158871c4c806477a5259fdadd52a0e606ce8986dccf0e2bdfe6beb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
130KB

MD5
c059c5e521847d7c84d613bda53c417d

SHA1
2d47e45c990528cd8c78e093c29517e7a9e2d9fc

SHA256
d7e11d28b96fbaa043ba35adba1725fa0189c607776b84107cd821f887bda3d9

SHA512
a49d2f5c52f232fb49442e23d6973dc598e999366474cf1fa04803b09c4d09d399f66f53769fadfbbb3026d9d96e03799ad5c631316a0029971b670344899ebe

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
274KB

MD5
c74068870764b20584071480e7bd0d79

SHA1
b40d2cc244fa9f8d3396ef4730b9a1509a6c267b

SHA256
711060259a5a5befaea31a95f16a6bf4fa267fa422c111ac6a695a9e846d2b3c

SHA512
de23670612817606bf40b4b91e9bc30fc4994fd4963cb1d1a34ac9abce4ae8986ea98edae7b780d3909b577d4e0988a494256c30974e187bc684f4ced9b129d7

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
117KB

MD5
ce7e48dc7995ba5da358665880bad115

SHA1
4a09649e5f63938dabbd6a82388bcb2910211ffa

SHA256
7b2f9ff048b0b006a15d6f4ae64dbe5d308baae4d51d28a60e722eaf4b1e9066

SHA512
c3e8581b60fd681c31e80772f3f1820355d1189422f7b9e63ac7fcf1b9156ab3074ff94f656d006a9c90d8b7bc38dec078b0681d45ef1b0106f76b2f49dd480a

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
274KB

MD5
91618c32d5b760a16ef0c5c87d743a2d

SHA1
6b6267ceba603ccde313c02e87f91f8a8e74b26f

SHA256
6fa1e7ce49effab018c98f8fcdf08a66febfef1388079cf62d6a6d0b65a140b0

SHA512
f0f2caf4a0c6def4e602dbfd40449a73f1a00345c8cd1ef896d876130fc80d9e650cee7f37e4b0d6300e271db16a126ff42759d87a11b4f779e3ece358f1ea42

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
399KB

MD5
436c295f145943b64388e234246b7650

SHA1
e9196fe3fb0ef73a0fa251944e57c22d41f561e4

SHA256
a1f8cb454f038d0459eba7a265bac79375f5e673efaedd934ec4bfa03ea64236

SHA512
cf4e3147f7b903f7ab5fd0112036db93f919f4d7c47aae799fd7e04bdf0c42782daf00fe80ccfd68ba31dfef238065838fed90dc04ab8964b6e0238865c55518

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
90KB

MD5
9fe05d709186f080e9767b3f1e77a7cb

SHA1
ff9286c16666378fce0bfa9d84273ac75afcd73a

SHA256
9019205f18f642930651c833013a35e46a79d1fc391ae44d81bbccfa52dd045b

SHA512
149ae9f45284f51b99a7d33be157a9a3cf6bb2abdfb988637e226034cb4dffc6fbca55fc3e1b2f1e5883b0b7aaffba003c45b4d1300cbd5e77c36a0addf3cd69

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
100KB

MD5
2972b16f826aec19e8da1a282fd592da

SHA1
50400cc2a57f308fa5889647fab69c32bf180496

SHA256
31b0d5da2fa67fb84111c5872a0574b71ed3022c7766b1f262f832fd63532f8a

SHA512
b3b9ba80d8d17c07e7b34dff649c3bbeb62e7b3ed4ba3eca0214928fdad84b50f6fb566168f1024cc798e75b23498004e59e24f0fc0e7658898d9bbf8f103440

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
274KB

MD5
0dd8cd314d94cfad0f1f3d2e4de8d5b2

SHA1
25e786ee702998ebd953b89028b9ca6d471c55bd

SHA256
504d66cc6d5167f73f31fa5130ab5c5228b0c92651729fc10b348c610de9835a

SHA512
24223e39372f7001019f06d74ea2b932ba75d309d46343708998db458225a75f84c96648067d04aaaf1ac33dd78352784913d4c8a4ceeef3fdb72d68f1d2a38e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
136KB

MD5
8455a6359f78de91e6b0bf637631607d

SHA1
11268b8e4c88320f668cfb5f8bb68257bf5b05d0

SHA256
61ffc661a171df73d36836251e8fa6485216d11591e9aee4d0dc60b63bd7c992

SHA512
d6af0cc306399d3db02a6e5f7ae5d9b20b176403e449b6aa4add402cbf60f08eadd009e8313834e4990270065ae9dac3f38735a22a0580f754d7db15ac659f2a

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
274KB

MD5
50a683ee38676c2d2597252078164e19

SHA1
c9a0e7e840d15b4f813ffa807415c3424fe57975

SHA256
29789f4f573a4f4ff1a1618605e7667f9a014b4bf5f64172fd738e7a51475c7e

SHA512
b4108fa91ef232d886eacf085f31fd2d4eb36da72afc3874e6c41977566b8457d4cc336e11463fe897ef266ab98f83f5c5ed471aa68d5eeb4e31248b84e93ba3

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
274KB

MD5
65fdbb4874824edbae3b8ddd9758f7f6

SHA1
13fc501a38199ad1e58e301eccc72f08a490068b

SHA256
67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

SHA512
60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
166KB

MD5
8bae946b0dc168acc0164ee6e6e438e9

SHA1
ca377cf98561e268f03e38bfc521ff4efb445a3b

SHA256
9e24974ddafce7bbe2ecf42dc1f871666b8eafd2445fea07cb02855787b55de7

SHA512
8135bd76389b613d3958907facfa30e7fa85b7f4cf9bc0f076772dd1348f5ce8e60268eb46de5930b821b458070eaea4067be77865681c8da0c1f947e1791138

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
58KB

MD5
6c61b940c4911b0bf1ebabb60a3d5599

SHA1
a91194505830fe3bb1e6866446e7109f515c242c

SHA256
a8e840991d1b3d40f8838bcda230a340e2c8bd5691483897562a70a4ae2763ec

SHA512
0007c65fc46dc16bf5ae141640115ddd741bb5de5d1734463fbfa8da691ccad0e24f0e7929d63ecc075fbfdf32744410f96a769bfd820636633ca63ad6f9e0f3

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
59KB

MD5
d021b315fdc330d4a37f8a581da1742a

SHA1
d3eb8c0fa7871f52fa15751468b8802c21d961cb

SHA256
d8c649e289ac98980d0854560eff0a127f9b079a3926194a110b38e4934c2e1f

SHA512
6808e415ee9d14cefced19e783becf2bee9d916863752726549d6980717b4374ff81735a0618cad4e964f71db139ca0ccd0fa41e406d5397a9140f85efcc0c40

Download Submit
C:\Windows\tiwi.exe

Filesize
32KB

MD5
f93d0ce1f2f4021ffba0edad8c37a317

SHA1
0dd07de451a77245e8ae5102172f31f32ff67b72

SHA256
ff1b7234f669d84e8df56c7afb0353cfabc19a91abb56fce166b355dd0307140

SHA512
f3ec4165c141b23ea87c1478acc1d8d420058b1ea9822c9222643394325f583e84bd4e8b33b98548d9c0f2b410fe3176ab5b9462e7761d963c72af39d660ec7d

Download Submit
C:\Windows\tiwi.exe

Filesize
274KB

MD5
6eeb0d26840cadb4dcddc8c8260a7199

SHA1
8fd33fa9ec2407e1c0df3b1084e3caa0bbe21fe1

SHA256
83422e1fa2a6076c3bcafcb8ee34c6bd5cf26f5be32a49ea02ac8790b7f23462

SHA512
b246f3a7cdcee93e68a6034c62e3a78d6c1b78ea05be99b9d5c9e18ef3828b52bcab353737ee25c751a698f8ee8abfa6c22fc74c97797045e70c0a3f176a045c

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
274KB

MD5
d31470542e7311e0f2d6f237f064ec5d

SHA1
c04aa0b3e05bdef0ae4d66dad2c80c5f3d4a9251

SHA256
1da98bbf2d33a563750b245ef3e1b15763cbf5a36217c1ac15eb48d13a2c8e36

SHA512
50fd31398e484feaa1cffbe3a71cb29611308b44f5a34a0a114ba0a06a1a5b743d95f8ac903ef779299e4d8a60b4f63410a5af81b864d913bde77e784eea1020

Download Submit
C:\tiwi.exe

Filesize
274KB

MD5
b82b9410c08b9860595c70b7548ba2fa

SHA1
18aba6787c5b5c565155e93132bb439578583245

SHA256
4c4f4e6363a3c9b3e7b6e3a15161c33cfa440ff75e87787869f198d4b2ddb797

SHA512
1e2f5e3cab2e37499e931ed2fab37562f6ffd366a6d91083c462324a41194a54511acb9f76a39243726983974c92680a91a44d0c85cbfd706ae5c0ef0543d7ba

Download Submit
C:\tiwi.exe

Filesize
274KB

MD5
777ffc7ecc017cfe329c9e4bdaeb752a

SHA1
4871cb40c0f95ab1e4527889c73701b8ce55b56e

SHA256
fa9d0957a54136ae5723c66d2ca56e08d62e7c798a9650206d2fbb4f87de4df2

SHA512
c99287ca481b0c06faa1456a357e856c3600513aae9899c3253405ddc3b360e89d3979048fbd9370a3f4739e4973f1f5fc1b1d53fa8704ef75bd5ca48af4aeb0

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
274KB

MD5
5c564b592910d4c281a9affb5b2cf300

SHA1
c5e2ab45149898db02efc1956bedd062639917f9

SHA256
7080109237b3d0a698527cca78285434efcf443d82251bf027f9f433e8277037

SHA512
b0dca032d58e3a4a98fa04b4e1cba640b4479fa0e13a4f7bf0bf0631920976ed69c0d0293224bb86092f22cb83043c0bd1f460bf375ed7b1ab774f2f4f5ee6ec

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
274KB

MD5
17fb750d5c2737a5090154a1e13144f0

SHA1
79f25a73e097ce873dfbf74a13da7c264cb0b4c2

SHA256
ef8d814c66ad6d7b5b010626a5cf553282879bf45faa69f56d5ff0b066711966

SHA512
3f1f12543988e60875cc5ffe8f5325c8ddc4686ceda321df28e23289c63510d78c3e4a213588d95d00c1421a718eaf3156213ac946d078699eb8cac16e6c550c

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
115KB

MD5
b4931954fffc2888073236ee57ac1b9c

SHA1
adb4ab37613d8ef472774ddd0c825a6fcc06be3a

SHA256
8b8740cccd2a9819a85705dcb96132dc0337b0de833eb4e2bdca5072b325de60

SHA512
cd575946350092bfbec360a3c97bf806b8525b3dc2bd1c78b51e06583cd0e8560bbad198351c40b8cdec6757b8a5920953fee970319ad19edd0681ed3292f4e7

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
55KB

MD5
cd705efc3cd32115ad9aca0e973e7fb6

SHA1
545b09f4240a45758bb2a10a31128dd2df0d6d9f

SHA256
436da9399e8d0d2967ca0b7cec1017a2377f6d7fb13fb5233f61912f1d19f4e7

SHA512
fc2eeb520cd73c1e0110239372dd40ae5305403686b9ae584e8ce8c59415bd3b86b4ff0a542d791b6234e83b1cfc75c173e7ee3c36912d14251d65872ad4caaa

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
72KB

MD5
ed025aab105ba24356b62adc89031ef3

SHA1
7fc799d71b7f4e0a5525d54b7907fed4c32aff0e

SHA256
bc9137a9caad1f9b1618be34b52dabe6fdf0a11d9cd22b51573854b6b5d84d17

SHA512
d25f222320e5fe408d944d3550d5a3de83448ffda7ae8f2475c789ede049e0261fc1202072b7976e6be444737b2fa0ff02203eeedaeef0ec6f77ecdc24c076ca

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
214KB

MD5
d2e3df3e10321fdbc0b8dd04d7ee12c4

SHA1
60f4eb4fab700c8744cffe612df2eb2232205a8d

SHA256
6f5c1dae2e26b258750ef93d23929c5f91b244e5923f7de32f5566641e447c2b

SHA512
7097d73f68d9da02ebb3303d3532bc4321920aa69db4bbc47aa84e79749714d02f04dfabc8bf224a26f67cdb93818e8ac2f27d15b03af160841d8561ed545e74

Download Submit
memory/572-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/572-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/896-364-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/896-348-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1096-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1096-302-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-465-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-499-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-501-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1160-341-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-349-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-175-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-189-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-94-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-368-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-299-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-259-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-376-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-119-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-187-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-98-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-200-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-124-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-342-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-466-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-386-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-111-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-202-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-104-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-418-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1204-421-0x0000000002520000-0x000000000254B000-memory.dmp

Filesize
172KB

Download
memory/1376-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1376-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1420-506-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-355-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-375-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1972-535-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-539-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-381-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-515-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2052-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2064-526-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-389-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2476-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2540-530-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2552-510-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2564-258-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2564-346-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-347-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-293-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-462-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-362-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-385-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-512-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2564-432-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2564-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-428-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-433-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2648-495-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-523-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2752-434-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2752-427-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2780-460-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2800-491-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2836-380-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2840-379-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2892-392-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-382-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-378-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-425-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-338-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-490-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-513-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-354-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-383-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2904-497-0x0000000002E30000-0x0000000002E5B000-memory.dmp

Filesize
172KB

Download
memory/2920-459-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2952-396-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2952-431-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-419-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-496-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2956-503-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2956-516-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-502-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-489-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2996-514-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-360-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-498-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/2996-369-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/2996-345-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/2996-410-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/3012-397-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download