1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Size

488KB
MD5

6b47c401f12e4ce4e80fbfd69520b4d0
SHA1

38b7508d87729bf5cd0e3086dc9e6ea25d09a9d3
SHA256

1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8
SHA512

9b616687bc856529606c076d8fc0bb1274b47326cbaf990c70cdd38fbfdcb888cd24bb0cfa5198eff5bfe478cffb5690470624bc57bfb4bdf1ffa60f5676cea4
SSDEEP

12288:V/MM/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VTK2O2HIBEd7M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
3052	Tiwi.exe
860	IExplorer.exe
2848	winlogon.exe
1636	imoet.exe
328	Tiwi.exe
536	Tiwi.exe
776	IExplorer.exe
2596	Tiwi.exe
1040	Tiwi.exe
1760	winlogon.exe
1508	IExplorer.exe
2592	Tiwi.exe
1064	imoet.exe
2348	IExplorer.exe
2360	winlogon.exe
2908	IExplorer.exe
2600	IExplorer.exe
2364	winlogon.exe
2656	imoet.exe
2928	winlogon.exe
2660	winlogon.exe
2664	imoet.exe
2624	imoet.exe
2920	imoet.exe
2832	cute.exe
2792	cute.exe
2532	cute.exe
1964	cute.exe
2712	cute.exe
2484	cute.exe
2736	Tiwi.exe
2716	IExplorer.exe
1432	winlogon.exe
1768	imoet.exe
2472	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
3052	Tiwi.exe
3052	Tiwi.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2848	winlogon.exe
2848	winlogon.exe
3052	Tiwi.exe
3052	Tiwi.exe
860	IExplorer.exe
860	IExplorer.exe
1636	imoet.exe
2848	winlogon.exe
1636	imoet.exe
3052	Tiwi.exe
3052	Tiwi.exe
1636	imoet.exe
860	IExplorer.exe
1636	imoet.exe
2848	winlogon.exe
860	IExplorer.exe
2848	winlogon.exe
860	IExplorer.exe
1636	imoet.exe
860	IExplorer.exe
1636	imoet.exe
1636	imoet.exe
3052	Tiwi.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
3052	Tiwi.exe
2848	winlogon.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
860	IExplorer.exe
2848	winlogon.exe
860	IExplorer.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
2832	cute.exe
2832	cute.exe
2832	cute.exe
2832	cute.exe
2832	cute.exe
2832	cute.exe
2832	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\S:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\Z:	imoet.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\P:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\O:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\M:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\K:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\L:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\H:	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	imoet.exe
File created	F:\autorun.inf	imoet.exe
File opened for modification	F:\autorun.inf	imoet.exe
File created	C:\autorun.inf	imoet.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\tiwi.scr	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1636	imoet.exe
3052	Tiwi.exe
2848	winlogon.exe
860	IExplorer.exe
2832	cute.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
3052	Tiwi.exe
860	IExplorer.exe
2848	winlogon.exe
1636	imoet.exe
328	Tiwi.exe
776	IExplorer.exe
536	Tiwi.exe
1760	winlogon.exe
2596	Tiwi.exe
1508	IExplorer.exe
1040	Tiwi.exe
2348	IExplorer.exe
2360	winlogon.exe
2364	winlogon.exe
1064	imoet.exe
2600	IExplorer.exe
2908	IExplorer.exe
2660	winlogon.exe
2928	winlogon.exe
2656	imoet.exe
2664	imoet.exe
2624	imoet.exe
2920	imoet.exe
2832	cute.exe
2792	cute.exe
1964	cute.exe
2532	cute.exe
2712	cute.exe
2484	cute.exe
2736	Tiwi.exe
2716	IExplorer.exe
1432	winlogon.exe
1768	imoet.exe
2472	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3052	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 3052	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 3052	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 3052	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 860	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 860	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 860	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 860	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 2848	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	30
PID 2436 wrote to memory of 2848	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	30
PID 2436 wrote to memory of 2848	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	30
PID 2436 wrote to memory of 2848	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	30
PID 2436 wrote to memory of 1636	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	31
PID 2436 wrote to memory of 1636	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	31
PID 2436 wrote to memory of 1636	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	31
PID 2436 wrote to memory of 1636	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	31
PID 2436 wrote to memory of 328	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	32
PID 2436 wrote to memory of 328	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	32
PID 2436 wrote to memory of 328	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	32
PID 2436 wrote to memory of 328	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	32
PID 3052 wrote to memory of 536	3052	Tiwi.exe	33
PID 3052 wrote to memory of 536	3052	Tiwi.exe	33
PID 3052 wrote to memory of 536	3052	Tiwi.exe	33
PID 3052 wrote to memory of 536	3052	Tiwi.exe	33
PID 2436 wrote to memory of 776	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	34
PID 2436 wrote to memory of 776	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	34
PID 2436 wrote to memory of 776	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	34
PID 2436 wrote to memory of 776	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	34
PID 860 wrote to memory of 2596	860	IExplorer.exe	35
PID 860 wrote to memory of 2596	860	IExplorer.exe	35
PID 860 wrote to memory of 2596	860	IExplorer.exe	35
PID 860 wrote to memory of 2596	860	IExplorer.exe	35
PID 2848 wrote to memory of 1040	2848	winlogon.exe	37
PID 2848 wrote to memory of 1040	2848	winlogon.exe	37
PID 2848 wrote to memory of 1040	2848	winlogon.exe	37
PID 2848 wrote to memory of 1040	2848	winlogon.exe	37
PID 2436 wrote to memory of 1760	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	36
PID 2436 wrote to memory of 1760	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	36
PID 2436 wrote to memory of 1760	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	36
PID 2436 wrote to memory of 1760	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	36
PID 3052 wrote to memory of 1508	3052	Tiwi.exe	38
PID 3052 wrote to memory of 1508	3052	Tiwi.exe	38
PID 3052 wrote to memory of 1508	3052	Tiwi.exe	38
PID 3052 wrote to memory of 1508	3052	Tiwi.exe	38
PID 1636 wrote to memory of 2592	1636	imoet.exe	39
PID 1636 wrote to memory of 2592	1636	imoet.exe	39
PID 1636 wrote to memory of 2592	1636	imoet.exe	39
PID 1636 wrote to memory of 2592	1636	imoet.exe	39
PID 2436 wrote to memory of 1064	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	40
PID 2436 wrote to memory of 1064	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	40
PID 2436 wrote to memory of 1064	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	40
PID 2436 wrote to memory of 1064	2436	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe	40
PID 2848 wrote to memory of 2348	2848	winlogon.exe	41
PID 2848 wrote to memory of 2348	2848	winlogon.exe	41
PID 2848 wrote to memory of 2348	2848	winlogon.exe	41
PID 2848 wrote to memory of 2348	2848	winlogon.exe	41
PID 3052 wrote to memory of 2360	3052	Tiwi.exe	42
PID 3052 wrote to memory of 2360	3052	Tiwi.exe	42
PID 3052 wrote to memory of 2360	3052	Tiwi.exe	42
PID 3052 wrote to memory of 2360	3052	Tiwi.exe	42
PID 860 wrote to memory of 2908	860	IExplorer.exe	43
PID 860 wrote to memory of 2908	860	IExplorer.exe	43
PID 860 wrote to memory of 2908	860	IExplorer.exe	43
PID 860 wrote to memory of 2908	860	IExplorer.exe	43

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe

C:\Users\Admin\AppData\Local\Temp\1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3052
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:536
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2792
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:860
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2848
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1964
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1636
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2832
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2736
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2716
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1432
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1768
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2472
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:328
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:776
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1760
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2532
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
a9bfb351636bf76aef52ecc95cd53a67

SHA1
5fcaf6fbe95b0041de4b2b9b620ac092ba68862e

SHA256
55c5c3b0d4c0fae3e280866fc8c4f43655b85d7278d2a4c18cec56bd7f52f57d

SHA512
a2675513d775f7ec337ff356cc34629d1592bc23de36b111826a1109757018abe2156ccab2e199298a833aa278136981b3fbb99ca2b68baef035170afe81a107

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
11b278920f6ba1ade7188965dc6eb7f9

SHA1
c80ee9d396fccde6205892860e031499b6963911

SHA256
e54566def0456286f6711e19a1b491f61e505848bb1214428a6e7b0545c1ad63

SHA512
f64b1944f67ae3fbef4bc49ae599927d1b4471328a75dfa49141265fb46bf32f912f3f5a172bab8cb5793d31f9b00de79918905c6e9e3538c5e84a82942c4dfb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
8f1673f029e9f9f699b7e3310239b5cf

SHA1
4dfb4ed0a1bcb6e8be36e36eb43f67cefd9b7e15

SHA256
41f09a68b8acbac97534b7900d3f7479c82421f1984ecd83ed7f09e2bc0fbe51

SHA512
90b6c022cdf1ae14e01c8f3170814dde1a563e3ebea02eca7a378430c819aaef69439e04f6a1407380ae0e9a0b021faddb5243957d2ea9a2d9ce492975d42049

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
4a86b83504bb2ca43cdaf8f0a3f8f364

SHA1
46dc9b9c29c7d6ba7daf244e8a30d2be390ddd99

SHA256
873035aae2992930d57933d23666345dadef42de42111bf9546615f23dd450f5

SHA512
d8585a8a2e0a52920b20ca0a75790d2359d5a77359fc5ca58a9a7b61e8b1784862b996565f77e19bfe3ebbf042fbcc7de3f66f1c30fc1f6bcf096a200221428b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
22f8a5b6f1657d82f207e527cf15b56c

SHA1
5f25a5edb79529205472e0afc1513e04bf4df73f

SHA256
5fbc2bfc7883c36246fe99b733e5d8d5ea18b2ddf995d8ad5121e27395f674ce

SHA512
6a9b7d757fc1fe63304cf7750ad69ac43f6c545a3e79d071ccf57d8fa61bebf82eb65f77bffc958d9dfe5abc07f72a83ee9d53622e2ad6bc7e3c09e994d84ea5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
c2c5de066e3aa8c70b8e111ed915911f

SHA1
38135796d85dde98d34efa43e73bdd24c1ad210a

SHA256
d460a95b8a61dd0bd86e9807a01f8096591a6484e20a7c31718882ddef4a71ad

SHA512
9778b7d8d9b5e9ab695d9141357e2f7d47947e991505a7b5cddc64994704439e7de738a73f54d2a81b4128113f623cd8f3ec6e15a2789fd5b2f0ea3f86d53d49

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
af05238cf406431f4459473111dacfe7

SHA1
6b6d6b1a99ff295d820f0b846c69e9de2e761b68

SHA256
b7a815b20bf40ce02e6b3c83c8801a49a422585704c6b3d13e4010405507fdb9

SHA512
85a6b937c8963382275e5fc80553288f554f28bbed3c4c645df1ab3f7968ad6d2e3743327ddb35630951faf1071637036b1915b8353b854e039003cf69325afe

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
86022385d42020167eade3eb79e7760c

SHA1
11e65b0ca92dff2c98517b014b0811633c353b1c

SHA256
b3dbd705fabb835de789521326f216a08227ee7af21048e628fd77aa14d4dbb9

SHA512
4fcb5821047d44cef03cc36702d5fdeac54349c0e537359856422ba60991c8d3444f5e6a458fe5c80da940586dad9ca25dfd22485ed27dcffef26a81b5b2d22b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
c1151e3fbfa0ca89fd026b4b36f576ca

SHA1
588d83d4da669ab810a2a9d81108be45e9df57de

SHA256
605f02b7664c81487930b83a5b615308c862c77fd8e15c6484500e59cc5bb115

SHA512
82fed501c6bf4dda7e4f44ef72ba1850e0dec1950b9b657c8692ec1994bfcbedb8cfe8081dad9ce37404651a1a66c4f0de2d6ccb194186c7ac21b0558d1c68c1

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
a80e25a696b466d97385ed5b7d6759fd

SHA1
ad56fe67dfa02cdd43a5a409d93897735e76d8d6

SHA256
d3a913a2ab59a6d7921d861169b49bb0185751c8b0149adc844166c234ed720a

SHA512
19445d43a983268ce94a1d6de984ee5536dc6b26f2326d42f1d5346ce09849c859ba6b8c9b12cbce2a790c1b0d0ab0a255b315f31b1df8f08d3f2d2703e7dba9

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
25a6d4a1bcc4a46458f12b5b27e51153

SHA1
c2178c2eb8472fcdc0dd2fe5d8cc89ee46049f25

SHA256
e7bec4b525ec465d3f41b71bf345f808c2fc5b7df0c330f1583b1c4d7ac35c9d

SHA512
979f90f06577436df23ddb0084131df1b36aad4b81b9087a2bb1eba8c7d4889e3cb3e8b8a7d74a2640e8e0198f59bc7d222f62b45d4381ff4d33751b11e5a483

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
b6ac9bb2948ff321f27e46e95e69190a

SHA1
925d63270c4eefb96b270d59efa9cc1e0e12a963

SHA256
f1ddc2bcc7549f3bf6af5002ee694506dd4a15615cd91b5f7bccd62d65f2fd29

SHA512
6061baf9400288d8798f54cd251282c19d7bd9edba533b0866fc050210747964a1bf83bfd19de171ae7cfa307ace286a92ff26954727c54100a66e7c9fc1a582

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
af6977b5956a481c5c5dab6ec4603641

SHA1
fa5a7c4f12cc9bff2b5f97cdcf1681ddbbde903a

SHA256
898104db2e120712e9a85985dda7ed8829c0de2120474032d4076467657c24b1

SHA512
21f72bff744d1d12b7795a393cd44fda23ec9ed42ecf4e1e12085c9283450dc52727a6acb2fc2a734b95288bb7aa87ec6e44a38c3c0b65b2ea780160b686b030

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
3b8701509a3c3efd2a70e48ee5afee8f

SHA1
5d3198514162c913514c29c065abffaba25ee526

SHA256
ae22d49bd0ce12fc090b2be86ca80525297496182ddb7ee5a2c0805581e9c0b8

SHA512
8de8e02bbdf0cd116923418c0c2ff58cfb3b1febbdf630f2e4e3cc5dd4911ba37397652b704be4a6f914eb13e76125e9898d88a6b1ca8397a53b84ea0eafe9e1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
3a978cb5f00cdc8803103e44cbbbbd94

SHA1
dba231c91a0d61a64b27035e22db4450cf34d1e2

SHA256
d49fa62c17c2da5221b335c8988ce9bdfe9647a1f872052b7c91db94f5847aa8

SHA512
9da3144d5c5ee4ed5835c5f876e581cda0018ddc725d97b099fa89c0bbb4d36d3d13c368e5c1f8355a031f17611b32d2ba9ba11a0f22040bc97dac08e9d295d5

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
d1c1a785d894ff2dff885df3ecac3b6f

SHA1
9a2ceed250248b4058c39a4ae06c19341f9ace8c

SHA256
a6feb3d843d743ab5ca760f297c08804c7848270f76366d2b0cd7ab91e3aef3b

SHA512
e63b08aa0906cc586aedf54422e89992cc4d17dfd90cffcca6f315ca06784116d52a07135caac47b506b8325c3be0dc582de2067a54bbfbdf8348eb16f631b3f

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
6b47c401f12e4ce4e80fbfd69520b4d0

SHA1
38b7508d87729bf5cd0e3086dc9e6ea25d09a9d3

SHA256
1e4d5272630e3ba6f2de352c179cc0c6d042780d081b2db07572b0aaccbe6de8

SHA512
9b616687bc856529606c076d8fc0bb1274b47326cbaf990c70cdd38fbfdcb888cd24bb0cfa5198eff5bfe478cffb5690470624bc57bfb4bdf1ffa60f5676cea4

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
d4aa26c75d8db37841f09ab5c7e5ce4e

SHA1
a1e1f8d82f55a15d8e76c762d976f0516bc49985

SHA256
aadc1c3d82608d0fdc418ad9b0a59b88bc1bd7219cf9cc10de908ecf5757ceea

SHA512
083f3065217d5753d641ef67f085be63a0060d575147f7e4e6698f538213e1e1df2bee33157be73ebfd10e607ee86d5cf53c2d65630dda7d3bc2922052827fdd

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
5f645f08b38dda58c0a873656b96921a

SHA1
259795d13fa36b1fc8b91cecb07b9985c9e9b41d

SHA256
0ee8840412a661d19f4b3d1c2a22850a75fe6b4a4f5bbcd3f21a4654ead74081

SHA512
2075fc5a2f4b3b4c3ae762ef85423e58978e90c0dd66928a7d0e9633a1c773094041355e3e51d1b8c401ab71589b76a12b4ebe493372109041c19b3b157620ba

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
31cb5f3e24e7ca48c6b83a7c0972936c

SHA1
238763977ce60e4e6031afca8e2210419ce3d3c1

SHA256
1865e2f321da1b3d5df4d26aa4951dcf3aa7ad8adbc097a32a06dadd38852dd6

SHA512
596816b9d285a911ae5e12e52a5581c3c2559febb200880af3d6e7fba345cca7557fc25d091003bb3d8be55b0c97c876c3b1b5a49616366e854c276815bb86a2

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
03ea5ac9fcb1d76f9ae82b7f1121f968

SHA1
9af51df4a0ce8e8dc79384b0de146bd81ef66450

SHA256
2ee953dff082761acfb22688077b5fe8e762b49af68eb296e5c4ad3576226e3e

SHA512
5c4726df02cb7f87848c5152c417a517735d65af0c523966de77609deec4f2d24e39b48baee30106367a4dd504440786bc9f83384951cdd5876417a538c85026

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
afc0409dd4ce0da290151e2db1bdcda2

SHA1
0fe39d4a3ba8008eaa0bcb0866a239ce5ae28c4b

SHA256
2c70a43ea710cf85165b4c35965cdf319f37e740a55c4785cfc06e02e0c83ed5

SHA512
43c30dd83b1621ae565f757010f0be3b2d362aedf282d75fcdd7f5d608ce26cd17a9da48db9488110f738c506b0aa4615cf81ebcdc556d3bec6aa95110a66830

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
1a5040be7a2c4ed470280d09f74873bd

SHA1
97c8e7b3a511f85ffa515431dc5a929d2bca7589

SHA256
d03d82b21ea658a68cea15dc0ad6067175ee18692b4a00674762168ad04bcd5e

SHA512
64706aaa478817303142c930faeb3ae9d9bb212e456425b4ff6ced2c0afbe018d3b121a7e153046deee3e260d24a9f5056b5f8538ea2ee534ce272e019839c95

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
1ae6bff16cdff7d3fea0b90be4ccbe05

SHA1
fcbc30776af93876356c170d39df97a2ca138268

SHA256
61fbeb7e8be6f08fa4ee09d342c8979cec6b6e670947abf06455e10d0a0948fe

SHA512
e066fd143fc6934f9b623afd099205fe9cbe8d6f12c81c677208cfa82c89d819d4a4c5f871587bddb141055480b5e68ba139160ce7532aff1e82ec9e87323950

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
f5a4e916812274aa67f9632c0cfc4fd4

SHA1
d1c2ceab8b92ead0ef63583905ee3d1c13836ced

SHA256
91d69e9b108c0101c86c19989e8475c63acc7ff9c804a31eb948105d5f7c746d

SHA512
811111c7a5705e9b4a0ce0783984f338759ab264905e0486d5a53654513a82dc6a9a601647fbc4130f70ff4c9200e637b2e6f020b6079dc2efc5982e507b0b43

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
1941f7514f54c1ab96bbf26bb3811be0

SHA1
f6acd033329739b62050b2055ef806aec838ea7b

SHA256
bc8644eff5766781eacffcf2ce8b12ec1a1ae0e78e986a4a174641d5fae8c778

SHA512
381650b52fd93161d0eb90b63b4e942aff499118d81710fa8b5863a5eb89bcec50aba3a6ce6ccfd0ef2f3103a439c2aa67a309b7313aca1c32a559880bdfd825

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
488KB

MD5
4dc09e82cde5379bb6c4449145c148dd

SHA1
1fd72f94be359f441d90aa7ac2bd2e3bafd8550c

SHA256
42c99938715f3fa60ae4bd9cdcaef9e64b09659790f05dea2e0bee08b91a941a

SHA512
5626599c49f0a99543b6f277c95ac7797c5f85c428e6d72f77e7fd962bb21826ebd8be4d391ae3ed3c77b80f23a5b0f1a720fe0ae47fad28a19661734ae9a294

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
b41540eeab0c6be963500fb40831febd

SHA1
c46ebd95aff9621f91c0f1dea3b5b4e557e845aa

SHA256
73ecea96029142fb893d1475803515f1b3789411e8ac60878cbcc8f0b49d2c57

SHA512
ebcba78e191548e4fd1443e38b4288f614fba0dbc93783ed9dfc7b9ffe079ac0f1cccecc5d451c661591ed6051d6d93e0c36d19e5801eda3b8e00233ea87bf86

Download Submit
memory/328-228-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/328-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/328-187-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/536-309-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/776-265-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/776-266-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/860-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/860-453-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1040-354-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1636-137-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1636-455-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-111-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-124-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-123-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-98-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-185-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-186-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-136-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-109-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-135-0x00000000039E0000-0x0000000003FDF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-420-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2592-359-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2592-358-0x0000000077640000-0x000000007773A000-memory.dmp

Filesize
1000KB

Download
memory/2592-357-0x0000000077740000-0x000000007785F000-memory.dmp

Filesize
1.1MB

Download
memory/2596-370-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2656-376-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2656-375-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2736-443-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2848-125-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2848-454-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3052-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3052-452-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download