67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65fdbb4874824edbae3b8ddd9758f7f6.exe
Size

274KB
MD5

65fdbb4874824edbae3b8ddd9758f7f6
SHA1

13fc501a38199ad1e58e301eccc72f08a490068b
SHA256

67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a
SHA512

60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4
SSDEEP

6144:2WC4YgB9Giy6WC4YgB9GiybWC4YgB9Giy6WC4YgB9GiyOWC4YgB9Giy6WC4YgB9d:FtJ9GiwtJ9GiztJ9GiwtJ9Gi8tJ9GiwL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 30 IoCs

pid	Process
5020	Tiwi.exe
1784	IExplorer.exe
3088	winlogon.exe
5680	imoet.exe
3740	cute.exe
4172	Tiwi.exe
5992	IExplorer.exe
3228	winlogon.exe
6012	Tiwi.exe
2960	imoet.exe
3252	IExplorer.exe
2200	cute.exe
5380	winlogon.exe
3332	imoet.exe
4140	Tiwi.exe
3564	Tiwi.exe
4516	Tiwi.exe
1824	cute.exe
5712	IExplorer.exe
3076	IExplorer.exe
5208	IExplorer.exe
2988	winlogon.exe
5740	winlogon.exe
1716	winlogon.exe
5348	imoet.exe
5148	imoet.exe
4040	imoet.exe
5556	cute.exe
4116	cute.exe
1604	cute.exe

Loads dropped DLL 5 IoCs

pid	Process
4172	Tiwi.exe
6012	Tiwi.exe
3564	Tiwi.exe
4140	Tiwi.exe
4516	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\R:	imoet.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\shell.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	65fdbb4874824edbae3b8ddd9758f7f6.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\s1159 = "Tiwi"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Mouse\	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	65fdbb4874824edbae3b8ddd9758f7f6.exe
2712	65fdbb4874824edbae3b8ddd9758f7f6.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
5020	Tiwi.exe
5680	imoet.exe
3088	winlogon.exe
1784	IExplorer.exe
3740	cute.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2712	65fdbb4874824edbae3b8ddd9758f7f6.exe
5020	Tiwi.exe
1784	IExplorer.exe
3088	winlogon.exe
5680	imoet.exe
3740	cute.exe
4172	Tiwi.exe
5992	IExplorer.exe
3228	winlogon.exe
6012	Tiwi.exe
2960	imoet.exe
3252	IExplorer.exe
2200	cute.exe
5380	winlogon.exe
3332	imoet.exe
4140	Tiwi.exe
1824	cute.exe
3564	Tiwi.exe
4516	Tiwi.exe
5712	IExplorer.exe
5208	IExplorer.exe
3076	IExplorer.exe
2988	winlogon.exe
5740	winlogon.exe
1716	winlogon.exe
5348	imoet.exe
5148	imoet.exe
4040	imoet.exe
5556	cute.exe
4116	cute.exe
1604	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 5020	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	83
PID 2712 wrote to memory of 5020	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	83
PID 2712 wrote to memory of 5020	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	83
PID 2712 wrote to memory of 1784	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	90
PID 2712 wrote to memory of 1784	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	90
PID 2712 wrote to memory of 1784	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	90
PID 2712 wrote to memory of 3088	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	91
PID 2712 wrote to memory of 3088	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	91
PID 2712 wrote to memory of 3088	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	91
PID 2712 wrote to memory of 5680	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	92
PID 2712 wrote to memory of 5680	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	92
PID 2712 wrote to memory of 5680	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	92
PID 2712 wrote to memory of 3740	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	93
PID 2712 wrote to memory of 3740	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	93
PID 2712 wrote to memory of 3740	2712	65fdbb4874824edbae3b8ddd9758f7f6.exe	93
PID 5020 wrote to memory of 4172	5020	Tiwi.exe	127
PID 5020 wrote to memory of 4172	5020	Tiwi.exe	127
PID 5020 wrote to memory of 4172	5020	Tiwi.exe	127
PID 5020 wrote to memory of 5992	5020	Tiwi.exe	126
PID 5020 wrote to memory of 5992	5020	Tiwi.exe	126
PID 5020 wrote to memory of 5992	5020	Tiwi.exe	126
PID 5020 wrote to memory of 3228	5020	Tiwi.exe	125
PID 5020 wrote to memory of 3228	5020	Tiwi.exe	125
PID 5020 wrote to memory of 3228	5020	Tiwi.exe	125
PID 1784 wrote to memory of 6012	1784	IExplorer.exe	97
PID 1784 wrote to memory of 6012	1784	IExplorer.exe	97
PID 1784 wrote to memory of 6012	1784	IExplorer.exe	97
PID 5020 wrote to memory of 2960	5020	Tiwi.exe	124
PID 5020 wrote to memory of 2960	5020	Tiwi.exe	124
PID 5020 wrote to memory of 2960	5020	Tiwi.exe	124
PID 1784 wrote to memory of 3252	1784	IExplorer.exe	123
PID 1784 wrote to memory of 3252	1784	IExplorer.exe	123
PID 1784 wrote to memory of 3252	1784	IExplorer.exe	123
PID 5020 wrote to memory of 2200	5020	Tiwi.exe	122
PID 5020 wrote to memory of 2200	5020	Tiwi.exe	122
PID 5020 wrote to memory of 2200	5020	Tiwi.exe	122
PID 1784 wrote to memory of 5380	1784	IExplorer.exe	121
PID 1784 wrote to memory of 5380	1784	IExplorer.exe	121
PID 1784 wrote to memory of 5380	1784	IExplorer.exe	121
PID 1784 wrote to memory of 3332	1784	IExplorer.exe	120
PID 1784 wrote to memory of 3332	1784	IExplorer.exe	120
PID 1784 wrote to memory of 3332	1784	IExplorer.exe	120
PID 3740 wrote to memory of 4140	3740	cute.exe	98
PID 3740 wrote to memory of 4140	3740	cute.exe	98
PID 3740 wrote to memory of 4140	3740	cute.exe	98
PID 5680 wrote to memory of 3564	5680	imoet.exe	119
PID 5680 wrote to memory of 3564	5680	imoet.exe	119
PID 5680 wrote to memory of 3564	5680	imoet.exe	119
PID 3088 wrote to memory of 4516	3088	winlogon.exe	100
PID 3088 wrote to memory of 4516	3088	winlogon.exe	100
PID 3088 wrote to memory of 4516	3088	winlogon.exe	100
PID 1784 wrote to memory of 1824	1784	IExplorer.exe	99
PID 1784 wrote to memory of 1824	1784	IExplorer.exe	99
PID 1784 wrote to memory of 1824	1784	IExplorer.exe	99
PID 3740 wrote to memory of 5712	3740	cute.exe	118
PID 3740 wrote to memory of 5712	3740	cute.exe	118
PID 3740 wrote to memory of 5712	3740	cute.exe	118
PID 3088 wrote to memory of 3076	3088	winlogon.exe	101
PID 3088 wrote to memory of 3076	3088	winlogon.exe	101
PID 3088 wrote to memory of 3076	3088	winlogon.exe	101
PID 5680 wrote to memory of 5208	5680	imoet.exe	117
PID 5680 wrote to memory of 5208	5680	imoet.exe	117
PID 5680 wrote to memory of 5208	5680	imoet.exe	117
PID 5680 wrote to memory of 2988	5680	imoet.exe	114

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	65fdbb4874824edbae3b8ddd9758f7f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe

C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe
"C:\Users\Admin\AppData\Local\Temp\65fdbb4874824edbae3b8ddd9758f7f6.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2200
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2960
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3228
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5992
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4172
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1784
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6012
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1824
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3332
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5380
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3252
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3088
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4516
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3076
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1716
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5680
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5208
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3564
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3740
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4140
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4116
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5148
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5740
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Tiwi.exe

Filesize
274KB

MD5
b72805c0ee4dda7a3de4ff381ff12e6b

SHA1
1bd9239d6d85e4f81f0815d2627636639985c3bc

SHA256
633167145a2b779380d997a99168b0e504dc5ff967ce1c10f779e41d2b5fe52d

SHA512
deb099e6d917c7bca536870aacbbcbe91f22bdddd57856bb5aa5494e8375585b9b524f28e31de2c8bf86549c433dfe0f83067715a63a53afb3c5473afbefc743

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
274KB

MD5
78bde41146ffdac20a7d875922d62e83

SHA1
c93147bb3ee3f1e4dbe376e6039cbb80ad9f9841

SHA256
09cf2990400eaf43202998fcca0ec927eb9ed71f096f8533b97514ff48451f81

SHA512
dd02d4f4260a9180d2b9a3d2abbc3dfef50046b36283620df0828c7641fc163211f22e380530c9196a34eb6bab6a96263661116992ee9b4eecda1c18c8e82a92

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
156KB

MD5
ddc83e1ec8b779ed4ac589c5b9cf0ed1

SHA1
69826765cabe46aa4f3864b56c8d3aa34824e08b

SHA256
d4fbb5a296cdbb3090eafa273d101b77b6c20ca3d656d86f0d8499fd62d77809

SHA512
be8c6ced7ebf9fe9980cf2c3a1d6f99e3feafce611ecb70772aae2f18b4419fb382b48dfb9520bfe6eca330ec13dacace61d2b36e556b011c0ab8f5817fcdc3d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
21f0f46228aee919c8b87e3daddfa001

SHA1
d9327c8e80404882527f6f32a51e754d049e4746

SHA256
9a4ca68517cafc532c93d53df753fc458f72e343943b1088d124c8fd45e3c5bd

SHA512
d7502a6023c97aae412fe4a007c182bdd47bf634c2a7e69a043d00c8c819640b514cd27ee66d75e86581dfe855211caa1bc58d8b8dc73fcd0435931ba782556a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
274KB

MD5
c3e3bc10b61938fe71bc42b07ae885a3

SHA1
a487faf7751f244108b967393a483b0a7aec0824

SHA256
ee08725423c07c7a51a93571da52eaa017af6eb84265ee2f9434b4e6ee5744cd

SHA512
503961c20d9fd9bf9567de7b1984c9f1a304278c32fcb3cca82beaee2cd4c1fffdcd308693f2954162162409198955ba303779097677827c78c4255c0ab59852

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
159KB

MD5
02a7a0ca1a522520866121651c934800

SHA1
f9e6de7a302de96935d927d463ca8c6d594cfeeb

SHA256
a27c47b4943bbaa035f2c528e9d57af743807aea8a83ab2448210b60ab7542da

SHA512
4815e329ae516db03a71eb81d9fddad2c51bf974226af5939067ce5b51a413bf91c9658dbf3b34045e896dcebc82792a7394fc8ad70da4ed7ab130e12a56f389

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
60KB

MD5
4da65c306a10b1387b039c9b8937a7c1

SHA1
2b525a13a9478476f3985c3f1fde30315d340437

SHA256
f0a37f7813c4747569eace4e03015c2497225c384ba2d636b347955d7012f99a

SHA512
cc2c29712f25f81c5d62395abc371243bc58014f88f3456992bcfcd27dc68117831190f9818849c884c97269a3c2e1781ec15c4aa5dcce504cf7ead7452f7092

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
241KB

MD5
5ba77afa9b08468090a672dd7da7617a

SHA1
729a8f707811a2610d5f5b01ddca26746fbdb311

SHA256
a51bfbd02292e40e19cbc39e5bc066d281ceeebebb427d955491df94e09ca534

SHA512
069b61bb01b9c6e9657b3c9eb1a2da413002a48e1da4b931acbb4c6bc87d0b7a43e3c8d73a2758b35fa37aaab99b70de1c952613835719ba0610796bf9a4a8fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
274KB

MD5
089a728c8da4f6527db0fad18f8555a0

SHA1
0d3310ff83de9ea7eed3832c931bf414fb4dacbd

SHA256
1163e776df2c32a4cbc775e6b5d6d0f03ec417ef7361d54da41f7f1dfbdfea96

SHA512
30277b1a82017f3c5b8a1d0dad95fbca5f36227b17c5d449e51cfdc250a74c2988f63a5ccb5ec4871493f0dab6ab1dbb27e051029d081b6339cbfb3b32b6e77a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
8aa8406c5159718483ab3ff325631a36

SHA1
856c471c4d150f69721d8727f016ccf35a509e7a

SHA256
8ea020ea5e6dad17755786c593311c6c8f1abc565e05fa9801dc040f711133ef

SHA512
56c4e3cd586b2d6d174c95b48c8dd077e6eaa21aed8d4d3846a9cacc0c3892532957dc874156e41c80224fe220b390423a0868563106b1c759f5254c0d17c7c1

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
af7e7a0c9896befc6a763b2b455e128d

SHA1
23f4f2eb81115dfa8f0069116d1c1b1e34793752

SHA256
43ac92174c123c9cacbe022e14eb3ba82234fcc7a565d17ba789d184d1b15c02

SHA512
bd67fd63d667eead122d97beed10732b5ec537014abe01cbfafa87693e90b539447b3edfbc72b6794f517daa71d9f0a55d847ffd343d9b44e0ec6b432ac8d604

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
274KB

MD5
a57c9b343d7f8c218e8df3fd9446d488

SHA1
4c56e6091b88334685f76faee53ad1433439e113

SHA256
5640a3c64559dcdf35cf51e1c106ac0d8f7ce203b93ab649d41cb74175ff1053

SHA512
a086e5690bc30d82f89d19ae0997ddd49cdea53cca408e5645f6857ae8908143f3055ad12d44dbff3acf89f74af7f427f80a6dfa5bb6dc442a33a29b2912bd53

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
274KB

MD5
07b01a7e9ce8ccf30c38100c421cb4f4

SHA1
d2f33e2788bed4730c569df72add203137a2348d

SHA256
1f00e0f529f14df448625e3daa56c6a05bea2dadb3eb6867fe7fc8e6cac485cb

SHA512
f0a6c2aa2c22cb79e68a671081abf01b840adb9934c12de133eb0d27b142466948fad135dfc4c39ec52affb9797ea2ce5565a377067f41104cb980ef312b0e90

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
99KB

MD5
a2defb4cf245bf055b7f6b04d100d54f

SHA1
e05a98332e4920247ffa95344176f30ab238fc9b

SHA256
22e01b69042263b5312208211fefe02c299fa08db46bdb9f3948421fff1e3813

SHA512
49504ac329d1e22fc56bb6c4d8df3fc69aa462e1768f57ddbdcb4477df02f0ce5ae9d6f7543eeeb045cafd1f60f56995707d1d1b35d384f815de9dfc13dbd159

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1KB

MD5
9c2c57b293b6a2064a73ef2ad9c79d2a

SHA1
7b0cc6584ec9c1cb5b0e9065a30afc9b5a9183b2

SHA256
60703aca0a843a2c305c490ad7295a6e1476ca9bed8367ce2ebc4cc961cdde75

SHA512
820f7ba614ea3112f1be28ffff8a52735fdb052fa2b3668edb92dfa51bf742c7184983d17ca5329e16d2801027e51dd1efffe141543926c591e0e724183520f5

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
63KB

MD5
486b9388251f4ac119735cd55256c22a

SHA1
b724aa8f30fa44097b5097e91770943a4e1b5905

SHA256
ab206f6309b38c3a717d101c331f1f3d922c65f2363e223f852dc1d23bcde63c

SHA512
5421d725f9745dff23da9ac5092a0e7c9e9789db922e378927a2eb6957345bde2d15d03f9ccaf84c34cb86f28cdcb5c9a319aa03ec8f493d9d9ca9f2e1ca5590

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
41KB

MD5
e474b3e4b68ca40a7660a3b6bd13a1ec

SHA1
e603adf1cf558fcc25460cc516f7c33e286d4fb5

SHA256
be8fedd9827b3aa0da36466356687fcc6ee317e70367ac3e598e33ae7ea21207

SHA512
7584c6adfb812abba2dfeae1087eb974b9981447791f39b172eeee34d4750dc58f2150724013772eadfb015d32c451c7bb77bf746b40fc065a9666b02e27f195

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1016KB

MD5
b7d3628c8c67829ffcd4990f08c7a2e5

SHA1
3336f9ca527d601b4738a3f21c12ea2de166daae

SHA256
4683746ebb5c75e4595904ea6ea0b4c42207274b89e09755a69de8ddd1a77e3f

SHA512
2a5b192ce426078091943cd20b1a64b3868869a692b693e8e4a94c1a5c87090cd91a2e41217b116b69e5ee52da26b3713585fa48b8b2777aa5275516f49e90b6

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
82KB

MD5
c041ab7aa542729904c745bee329c700

SHA1
fa408b66ae1d4d0331641b501d858e907e8135b2

SHA256
43cf50aa55fcba3637939b3420bd491c84bc996b3d0b456d13d71763abb10664

SHA512
0cce4d5aaf84176b64039c25576d6b16bc3a316e9641f33b2452d1dc503676a938152a853f0b805938ca5fec5214d7bad4c96685f0dd924c676371cc2bc6f949

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
52KB

MD5
4b188c935a831bdda4e8f171955cb3e5

SHA1
9885935debb7d52ce06ee6c1da848f502db54479

SHA256
5fbf926cf4f9a2bda06f09c201592d96fac840688a8ae2c5174abbca41da7514

SHA512
f2558bc88db5322bbea73ae6dc4a5562d1f3b9d1e2f418a64d195c7c7d3a57fc70ac738b795d0f0193eefa60368957cd2f8d107f59166809cf5ea84f7b4c2ce1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
17KB

MD5
9bfe73377416f860ad3ede60023dbd64

SHA1
cdd1ff6964236c9d7d8bd5fefc720c2bd5e2e7eb

SHA256
5d9330cb21bef986756899d85c9ed37f7de6c99ac40932b13c2b619a26bd09b4

SHA512
49bc4deac9d09d192ed0e8b5d6e1dd78c83e7e4154ae8acf8fdc2857ae6fef73296626a6a31446fc19b0d3344b94e9ca5fa15d78c6753670b68b3af28e21f3f3

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
274KB

MD5
90b7d57078396082669edf9f4a61091d

SHA1
73c4a3eb544c80f5bfceb4a449945a27d77aad13

SHA256
d6181aa809de1f45ffa0afc5ecc48e8a4586c5980da8683fb2789fcc7eea87d1

SHA512
4f4fb227a8fc2641d4d4053fa764bd36937deb267e9c116637e6972315558eadeb19b20a4c45dc7e5b474cbc5f313aa927b13a3212f2f5f169e15b9caede8094

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
274KB

MD5
65fdbb4874824edbae3b8ddd9758f7f6

SHA1
13fc501a38199ad1e58e301eccc72f08a490068b

SHA256
67c9ef0b67c7fdd30ae6c1e691127d5fe07e9bd54b27d7d3a14b7008c670499a

SHA512
60435d6a2a3f44fbc37d617c7445414c028facef794b8d8484ada1e2f6ebc8faa5c669194e7662ac6f22b5e4a984a1732769157cbb7c088670ddc1df0e2b4ae4

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
274KB

MD5
abfa388de013051ec30ce58910710426

SHA1
d56da1b47f5f4dfa83162bcc131c71c56b5d11f7

SHA256
110d9a39771d5868fc74978197a87608f8cb8ec09755cb234839d2e3407db884

SHA512
175bd5e192d59aadebdb2086ddc7e26f18254a4c530d7fd2fc51819b8e8a0c08b8f1fdfa4e5a19d1f67ac9f44674d0a2a5e3a8cb6862a3443dfbeac69cf85c54

Download Submit
C:\Windows\Tiwi.exe

Filesize
83KB

MD5
2396421cd5abcfe6fa096a6352777861

SHA1
3bcc3ce2fb588fa5a03b760bb423c5020ed0f366

SHA256
e598416afcdba77a78cd36401af82bbf37b487784ba07cc545aabcc4af49c17f

SHA512
457e811ea942b8b5e906fbc8408c8c65bddc5499578078c6d0c5947c1e65d2e6e59a0d305fef18aaaccf0b5d5982d6eb48330fe58b37b2dbaedd00a847b089bc

Download Submit
C:\Windows\msvbvm60.dll

Filesize
286KB

MD5
4f425a1e736c161e5143098502c45a54

SHA1
7eb3c6aff7ddc96020f462ba964e9b38249c6041

SHA256
d5bba4798c3761b38dc69087b7ea0f5211bf81f01079a2bd77ef7d0085438818

SHA512
4e6a150e9f11209988d63544267e3c67a7105ccf0ea5e05b7f5d8f114b9866926c3a973e6325d9d5d781b7aec4159765b7c25cda5ea679e23be8106e1bb262cc

Download Submit
C:\Windows\msvbvm60.dll

Filesize
62KB

MD5
b1011e99d51c04051e8672bc345322a2

SHA1
9450ff7d274c243ffc5dd3c35a3e322cc3c975fa

SHA256
3c8b1b01a81c5b9574a9703a0a78e19ab63e62c3b21ad37e2627148f8d56fce1

SHA512
0e6281afcbb10834267ff098bdb8cd7382ce71a360547509edfd0ced8cc4a302a5ade3e818a1b7786221821e84ba9e7d1030e541388ac1f12d05e8f85b732d65

Download Submit
C:\Windows\tiwi.exe

Filesize
171KB

MD5
34879e0909f6e39386e45985bf77917b

SHA1
0424677dfefa4c0c138db18b027e559beea5c847

SHA256
7918cc63b87abf546d66b2161043cbb21c8fce2e35a554b2765970245fcf5916

SHA512
0bf5c3679dbf3da1cb27c488b34b8363167bb3b35f875e4a60a89f31ce19f22de0ef07ee4f4dafb04d0e2fd54add30d6fb2c2aa21ea3af5a338e9c139a890470

Download Submit
C:\Windows\tiwi.exe

Filesize
155KB

MD5
7d368e5abfadd37c55c5e06fd41f0270

SHA1
23bec2d157b0b7c1fc4cf7af60cabed0d964a7b9

SHA256
ec006948e6e2848b3679aa7d0ab9b7e9fb44de12e23bb1fbfd7999bbc779e3d2

SHA512
11d790a546d1d4fcc3190bfde9a7d2ab7d70bdcc5131f3e7934dedc528acdbe1999161b5718d73d7f39ac361e2ef2e1f1de73e1857a371f031460c7ebdc5e75d

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
64KB

MD5
a759b88d309b40b66a5f68fa69fd5707

SHA1
1ebad8344bfeac9274f2707555fc563083084da5

SHA256
19bed01b32693fa46dfdbe2c50b895568045c30ad6781f12a3c6516cf2a89283

SHA512
2fcf344c7dbad8605363dc357e434281c18cfee7b0c7c85a2baee6dc41d506f5662dc7b1733b311be19407ba46aa8d8c4c6cb12e0d07c2f6405f0e4fa513e7ce

Download Submit
C:\tiwi.exe

Filesize
73KB

MD5
7c3c5788588c6f93348f4f84d2e38453

SHA1
5736dcf9ef1626396da2264aec74cb78b8ae94ba

SHA256
992d3035087b79cc0966c07914c6fc40a8c8993f17ca4efd62d2490e42c4de2b

SHA512
ab4f8049703ea1f32ef815e1ec4655e7fa9a2fc7463c04a955512b4457117af9133b733920da2dea20b56396a1ccb02c6cea44198cc5d1cf5616efb4ec5c7de5

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/1604-368-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-363-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1716-349-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1784-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1784-370-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1784-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1824-327-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2712-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2712-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2988-345-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2988-337-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3076-340-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3088-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3088-371-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3088-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3228-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3228-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3252-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3252-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3332-316-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3332-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3564-331-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3740-122-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3740-318-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3740-373-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4040-358-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4116-365-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4140-328-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4172-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4516-329-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-369-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-95-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5148-357-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5208-341-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5348-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5380-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5380-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5556-364-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5680-116-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5680-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5680-372-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5712-338-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5740-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5992-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5992-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6012-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6012-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download